0003967
Cloud Computing Compliance Criteria Catalogue – C5:2020
Bundesamt für Sicherheit in der Informationstechnik, Federal Office for Information Security (BSI) (Germany)
Best Practice Guideline
Free
Criteria Catalogue C5:2020
Cloud Computing Compliance Criteria Catalogue – C5:2020
2021-01-21
The document as a whole was last reviewed and released on 2024-12-04T00:00:00-0800.
0003967
Free
Bundesamt für Sicherheit in der Informationstechnik, Federal Office for Information Security (BSI) (Germany)
Best Practice Guideline
Criteria Catalogue C5:2020
Cloud Computing Compliance Criteria Catalogue – C5:2020
2021-01-21
The document as a whole was last reviewed and released on 2024-12-04T00:00:00-0800.
This Authority Document In Depth Report is copyrighted - © 2024 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.
This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.
This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.
This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.
When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.
The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:
Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.
Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within Cloud Computing Compliance Criteria Catalogue – C5:2020 that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.
Dictionary Terms – The dictionary terms listed for Cloud Computing Compliance Criteria Catalogue – C5:2020 are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.
Common Controls andAn Impact Zone is a hierarchical way of organizing our suite of Common Controls — it is a taxonomy. The top levels of the UCF hierarchy are called Impact Zones. Common Controls are mapped within the UCF’s Impact Zones and are maintained in a legal hierarchy within that Impact Zone. Each Impact Zone deals with a separate area of policies, standards, and procedures: technology acquisition, physical security, continuity, records management, etc.
The UCF created its taxonomy by looking at the corpus of standards and regulations through the lens of unification and a view toward how the controls impact the organization. Thus, we created a hierarchical structure for each impact zone that takes into account regulatory and standards bodies, doctrines, and language.
Acquisition or sale of facilities, technology, and services | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Acquisition or sale of facilities, technology, and services CC ID 01123 | IT Impact Zone | IT Impact Zone | |
| Plan for acquiring facilities, technology, or services. CC ID 06892 | Acquisition/Sale of Assets or Services | Preventive | |
| Perform a due diligence assessment on bidding suppliers prior to acquiring assets. CC ID 15714 | Acquisition/Sale of Assets or Services | Preventive | |
| Require third parties to disclose all known vulnerabilities in third party products and services. CC ID 15491 [Interfaces and dependencies between cloud service delivery activities performed by the Cloud Service Provider and activities performed by third parties are documented and communicated. This includes dealing with the following events: Vulnerabilities; OIS-03 ¶ 1 Bullet 1 In the case of outsourced development of the cloud service (or individual system components), specifications regarding the following aspects are contractually agreed between the Cloud Service Provider and the outsourced development contractor: Providing evidence that sufficient verifications have been carried out to rule out the existence of known vulnerabilities. DEV-02 ¶ 1 Bullet 3 Policies and instructions for controlling and monitoring third parties (e.g. service providers or suppliers) whose services contribute to the provision of the cloud service are documented, communicated and provided in accordance with SP-01 with respect to the following aspects: Requirements for dealing with vulnerabilities, security incidents and malfunctions; SSO-01 ¶ 1 Bullet 6 The procedures for identifying such vulnerabilities are part of the software development process and, depending on a risk assessment, include the following activities: Obtaining information about confirmed vulnerabilities in software libraries provided by third parties and used in their own cloud service. PSS-02 ¶ 2 Bullet 4] | Communicate | Preventive | |
| Conduct a risk assessment to determine operational risks as a part of the acquisition feasibility study. CC ID 01135 [In procurement, products are preferred which have been certified according to the "Common Criteria for Information Technology Security Evaluation" (short: Common Criteria – CC) according Evaluation Assurance Level EAL 4. If non-certified products are to be procured for available certified products, a risk assessment is carried out in accordance with OIS-07. DEV-01 ¶ 3] | Testing | Detective | |
| Establish, implement, and maintain acquisition approval requirements. CC ID 13704 [{acceptable use policy} Policies and instructions for acceptable use and safe handling of assets are documented, communicated and provided in accordance with SP-01 and address the following aspects of the asset lifecycle as applicable to the asset: Approval procedures for acquisition, commissioning, maintenance, decommissioning, and disposal by authorised personnel or system components; AM-02 ¶ 1 Bullet 1] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate acquisition approval requirements to all affected parties. CC ID 13706 | Communicate | Preventive | |
| Establish and maintain a register of approved third parties, technologies and tools. CC ID 06836 [The Cloud Service Provider has an approval process for the use of hardware to be commissioned, which is used to provide the cloud service in the production environment, in which the risks arising from the commissioning are identified, analysed and mitigated. Approval is granted after verification of the secure configuration of the mechanisms for error handling, logging, encryption, authentication and authorisation according to the intended use and based on the applicable policies. AM-03 ¶ 1 In procurement, products are preferred which have been certified according to the "Common Criteria for Information Technology Security Evaluation" (short: Common Criteria – CC) according Evaluation Assurance Level EAL 4. If non-certified products are to be procured for available certified products, a risk assessment is carried out in accordance with OIS-07. DEV-01 ¶ 3] | Establish/Maintain Documentation | Preventive | |
| Install software that originates from approved third parties. CC ID 12184 | Technical Security | Preventive | |
| Test new software or upgraded software for security vulnerabilities. CC ID 01898 [The Cloud Service Provider applies appropriate measures to check the cloud service for vulnerabilities which might have been integrated into the cloud service during the software development process. PSS-02 ¶ 1 The procedures for identifying such vulnerabilities are part of the software development process and, depending on a risk assessment, include the following activities: Static Application Security Testing; PSS-02 ¶ 2 Bullet 1 The procedures for identifying such vulnerabilities are part of the software development process and, depending on a risk assessment, include the following activities: Dynamic Application Security Testing; PSS-02 ¶ 2 Bullet 2] | Testing | Detective | |
Audits and risk management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Audits and risk management CC ID 00677 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a Statement of Compliance. CC ID 12499 [Proof of conformity is always to be provided using the audit standard ISAE 3000 (Revised). Section 3.4.1 ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Publish a Statement of Compliance for the organization's external requirements. CC ID 12350 [{legal framework} The Cloud Service Provider has established policies and instructions that govern the logging and monitoring of events on system components within its area of responsibility. These policies and instructions are documented, communicated and provided according to SP-01 with respect to the following aspects: Compliance with legal and regulatory frameworks. OPS-10 ¶ 1 Bullet 6] | Communicate | Preventive | |
| Include the verification method in the Statement of Compliance. CC ID 16820 | Actionable Reports or Measurements | Preventive | |
| Include a description of the awareness and training program in the Statement of Compliance. CC ID 16817 | Actionable Reports or Measurements | Preventive | |
| Include contact information for the handling of requests and issues in the Statement of Compliance. CC ID 16816 | Actionable Reports or Measurements | Preventive | |
| Include the privacy programs the organization is a member of in the Statement of Compliance. CC ID 16818 | Actionable Reports or Measurements | Preventive | |
| Include the personal data use purpose specification in the Statement of Compliance. CC ID 17175 | Establish/Maintain Documentation | Preventive | |
| Define the roles and responsibilities for personnel assigned to tasks in the Audit function. CC ID 00678 [The report on an attestation engagement includes the following elements: Auditor's responsibility Section 3.4.8 ¶ 2 1 (d)] | Establish Roles | Preventive | |
| Rotate auditors, as necessary. CC ID 15589 | Audits and Risk Management | Preventive | |
| Withdraw the approvals of auditors, as necessary. CC ID 17260 | Business Processes | Preventive | |
| Notify interested personnel and affected parties of the reasons for the withdrawal of auditors. CC ID 17283 | Communicate | Preventive | |
| Define the qualification requirements for auditors. CC ID 17259 | Human Resources Management | Preventive | |
| Disseminate and communicate the auditor's qualification requirements to interested personnel and affected parties. CC ID 17265 [At the client's request, the auditor shall provide appropriate evidence that the audit team meets the qualification requirements. Section 3.4.9 ¶ 5] | Communicate | Preventive | |
| Engage auditors who have adequate knowledge of the subject matter. CC ID 07102 [Therefore, the following aspects are to be fulfilled by those members of the audit team who, according to the International Standard on Quality Control (ISQC) 1 "Quality Control for Firms that Perform Audits and Reviews of Financial Statements, and Other Assurance and Related Services Engagements" or the German IDW quality assurance standard "Anforderungen an die Qual- itätssicherung in der Wirtschaftsprüferpraxis" (IDW QS 1) or other national equivalents of ISQC 1, supervision the execution and review the results of the engagement (including evaluation of the work performed, review of the documentation and the planned reporting): 3 years relevant professional experience with IT audits in a public audit firm Section 3.4.9 ¶ 3 Bullet 1 Therefore, the following aspects are to be fulfilled by those members of the audit team who, according to the International Standard on Quality Control (ISQC) 1 "Quality Control for Firms that Perform Audits and Reviews of Financial Statements, and Other Assurance and Related Services Engagements" or the German IDW quality assurance standard "Anforderungen an die Qualitätssicherung in der Wirtschaftsprüferpraxis" (IDW QS 1) or other national equivalents of ISQC 1, supervision the execution and review the results of the engagement (including evaluation of the work performed, review of the documentation and the planned reporting): or one of the following professional examinations/certifications: Information Systems Audit and Control Association (ISACA) – Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM) or Certified in Risk and Information Systems Control (CRISC) Section 3.4.9 ¶ 4 Bullet 1 Therefore, the following aspects are to be fulfilled by those members of the audit team who, according to the International Standard on Quality Control (ISQC) 1 "Quality Control for Firms that Perform Audits and Reviews of Financial Statements, and Other Assurance and Related Services Engagements" or the German IDW quality assurance standard "Anforderungen an die Qualitätssicherung in der Wirtschaftsprüferpraxis" (IDW QS 1) or other national equivalents of ISQC 1, supervision the execution and review the results of the engagement (including evaluation of the work performed, review of the documentation and the planned reporting): or one of the following professional examinations/certifications: ISO/IEC 27001 Lead Auditor or BSI certified ISO 27001 Auditor for audits based on BSI IT-Grundschutz Section 3.4.9 ¶ 4 Bullet 2 Therefore, the following aspects are to be fulfilled by those members of the audit team who, according to the International Standard on Quality Control (ISQC) 1 "Quality Control for Firms that Perform Audits and Reviews of Financial Statements, and Other Assurance and Related Services Engagements" or the German IDW quality assurance standard "Anforderungen an die Qualitätssicherung in der Wirtschaftsprüferpraxis" (IDW QS 1) or other national equivalents of ISQC 1, supervision the execution and review the results of the engagement (including evaluation of the work performed, review of the documentation and the planned reporting): or one of the following professional examinations/certifications: Cloud Security Alliance (CSA) – Certificate of Cloud Security Knowledge (CCSK) Section 3.4.9 ¶ 4 Bullet 3 Therefore, the following aspects are to be fulfilled by those members of the audit team who, according to the International Standard on Quality Control (ISQC) 1 "Quality Control for Firms that Perform Audits and Reviews of Financial Statements, and Other Assurance and Related Services Engagements" or the German IDW quality assurance standard "Anforderungen an die Qualitätssicherung in der Wirtschaftsprüferpraxis" (IDW QS 1) or other national equivalents of ISQC 1, supervision the execution and review the results of the engagement (including evaluation of the work performed, review of the documentation and the planned reporting): or one of the following professional examinations/certifications: (ISC)² – Certified Cloud Security Professional (CCSP) Section 3.4.9 ¶ 4 Bullet 4] | Audits and Risk Management | Preventive | |
| Include roles and responsibilities in external auditor outsourcing contracts. CC ID 16523 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an audit program. CC ID 00684 [In this context, Cloud Service Providers and auditors shall have sufficient time to make the necessary adjustments to the systems and processes and to the execution of the audit associated with the updating of this criteria catalogue. Section 3.5 ¶ 2] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain audit policies. CC ID 13166 | Establish/Maintain Documentation | Preventive | |
| Define what constitutes a threat to independence. CC ID 16824 | Audits and Risk Management | Preventive | |
| Mitigate the threats to an auditor's independence. CC ID 17282 | Process or Activity | Preventive | |
| Determine if requested services create a threat to independence. CC ID 16823 | Audits and Risk Management | Detective | |
| Include resource requirements in the audit program. CC ID 15237 | Establish/Maintain Documentation | Preventive | |
| Include risks and opportunities in the audit program. CC ID 15236 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain audit terms. CC ID 13880 [{independent audit report} The report on an attestation engagement includes the following elements: General terms of the engagement Section 3.4.8 ¶ 2 1 (h) Since in the case of a direct engagement, the audit is not based on a system description provided by the Cloud Service Provider, the auditor must document details of the general conditions in accordance with the information provided by the Cloud Service Provider. Section 4 ¶ 2] | Establish/Maintain Documentation | Preventive | |
| Refrain from approving changes to the audit terms absent reasonable justification. CC ID 13973 | Process or Activity | Preventive | |
| Include a statement about the inherent limitations of the audit in the audit terms. CC ID 13883 | Establish/Maintain Documentation | Preventive | |
| Include a statement that the audit will be conducted in accordance with attestation standards in the audit terms. CC ID 13882 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain agreed upon procedures that are in scope for the audit. CC ID 13893 [In this context, Cloud Service Providers and auditors shall have sufficient time to make the necessary adjustments to the systems and processes and to the execution of the audit associated with the updating of this criteria catalogue. Section 3.5 ¶ 2 Policies and instructions for planning and conducting audits are documented, communicated and made available in accordance with SP-01 and address the following aspects: COM-02 ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an in scope system description. CC ID 14873 [According to the BSI, Cloud Service Providers who already have a system description can reuse it in audits according to this criteria catalogue. However, an existing system description that meets the requirements of another standard must be adapted to this criteria catalogue, as necessary. Section 3.4.3.1 ¶ 3 In the system description and the contractual agreements (e.g. service description), the Cloud Service Provider clearly provides comprehensible and transparent information on: Its jurisdiction; and BC-01 ¶ 1 Bullet 1 In the system description, the Cloud Service Provider provides comprehensible and transparent information on existing and valid certifications or attestations by independent third parties relating to the following aspects of the cloud service: the suitability and effectiveness of the internal control system in relation to the applicable criteria; and BC-06 ¶ 1 Bullet 3] | Establish/Maintain Documentation | Preventive | |
| Include in scope procedures in the audit assertion's in scope system description. CC ID 16551 | Audits and Risk Management | Preventive | |
| Include roles and responsibilities in the audit assertion's in scope system description. CC ID 16558 | Audits and Risk Management | Preventive | |
| Include the audit criteria in the audit assertion's in scope system description. CC ID 16548 [{audit criteria} The Cloud Service Provider must explain in the description of the system if individual basic or additional criteria are not applicable due to the nature and design of the cloud service or the principles, procedures and measures of the Cloud Service Provider. Based on the information provided by the Cloud Service Provider, the auditor must assess to what extent the C5 criteria are not applicable, and if applicable whether they are fully applicable or partially fulfilled. The Cloud Service Provider must explain in the description of the system if individual basic or additional criteria are not applicable due to the nature and design of the cloud service or the principles, procedures and measures of the Cloud Service Provider. Based on the information provided by the Cloud Service Provider, the auditor must assess to what extent the C5 criteria are not applicable, and if applicable whether they are fully or partially fulfilled. Section 3.4.2.1 ¶ 2] | Audits and Risk Management | Preventive | |
| Include facility locations in the audit assertion's in scope system description. CC ID 17261 [{audit criteria} For an attestation engagement, the Cloud Service Provider's service-related system of internal control to meet the C5 criteria shall include the following minimum content in order to provide customers with sufficient transparency about the information security of the cloud service: Functions and services with respect to the applicable C5 criteria provided by subservice organisations, including the type and scope of such functions and services, the location of processing and storage of data, the complexity and uniqueness of the functions and services as well as the resulting dependency of the Cloud Service Provider, (if carve-out method is applied) complementary controls assumed in the design of the Cloud Service Provider's controls, and the availability of audit reports according to the criteria in this criteria catalogue. Section 3.4.4.1 ¶ 1 Bullet 8 {audit criteria} For an attestation engagement, the Cloud Service Provider's service-related system of internal control to meet the C5 criteria shall include the following minimum content in order to provide customers with sufficient transparency about the information security of the cloud service: Functions and services with respect to the applicable C5 criteria provided by subservice organisations, including the type and scope of such functions and services, the location of processing and storage of data, the complexity and uniqueness of the functions and services as well as the resulting dependency of the Cloud Service Provider, (if carve-out method is applied) complementary controls assumed in the design of the Cloud Service Provider's controls, and the availability of audit reports according to the criteria in this criteria catalogue. Section 3.4.4.1 ¶ 1 Bullet 8 In the system description and the contractual agreements (e.g. service description), the Cloud Service Provider clearly provides comprehensible and transparent information on: System component locations, including its subcontractors, where the cloud customer's data is processed, stored and backed up. BC-01 ¶ 1 Bullet 2] | Establish/Maintain Documentation | Preventive | |
| Include third party data in the audit assertion's in scope system description. CC ID 16554 | Audits and Risk Management | Preventive | |
| Include third party personnel in the audit assertion's in scope system description. CC ID 16552 | Audits and Risk Management | Preventive | |
| Include compliance requirements in the audit assertion's in scope system description. CC ID 16506 [In the system description, the Cloud Service Provider provides comprehensible and transparent information on existing and valid certifications or attestations by independent third parties relating to the following aspects of the cloud service: compliance of the management systems for information security, business continuity and quality with applicable international standards; BC-06 ¶ 1 Bullet 1 In the system description, the Cloud Service Provider provides comprehensible and transparent information on existing and valid certifications or attestations by independent third parties relating to the following aspects of the cloud service: compliance with the European General Data Protection Regulation (GDPR); BC-06 ¶ 1 Bullet 2 In the system description, the Cloud Service Provider provides comprehensible and transparent information on existing and valid certifications or attestations by independent third parties relating to the following aspects of the cloud service: certifications or attestations according to industry-specific requirements of cloud customers. BC-06 ¶ 1 Bullet 4] | Audits and Risk Management | Preventive | |
| Include third party assets in the audit assertion's in scope system description. CC ID 16550 | Audits and Risk Management | Preventive | |
| Include third party services in the audit assertion's in scope system description. CC ID 16503 [{audit criteria} For an attestation engagement, the Cloud Service Provider's service-related system of internal control to meet the C5 criteria shall include the following minimum content in order to provide customers with sufficient transparency about the information security of the cloud service: Functions and services with respect to the applicable C5 criteria provided by subservice organisations, including the type and scope of such functions and services, the location of processing and storage of data, the complexity and uniqueness of the functions and services as well as the resulting dependency of the Cloud Service Provider, (if carve-out method is applied) complementary controls assumed in the design of the Cloud Service Provider's controls, and the availability of audit reports according to the criteria in this criteria catalogue. Section 3.4.4.1 ¶ 1 Bullet 8 {audit criteria} For an attestation engagement, the Cloud Service Provider's service-related system of internal control to meet the C5 criteria shall include the following minimum content in order to provide customers with sufficient transparency about the information security of the cloud service: Functions and services with respect to the applicable C5 criteria provided by subservice organisations, including the type and scope of such functions and services, the location of processing and storage of data, the complexity and uniqueness of the functions and services as well as the resulting dependency of the Cloud Service Provider, (if carve-out method is applied) complementary controls assumed in the design of the Cloud Service Provider's controls, and the availability of audit reports according to the criteria in this criteria catalogue. Section 3.4.4.1 ¶ 1 Bullet 8 {audit criteria} For an attestation engagement, the Cloud Service Provider's service-related system of internal control to meet the C5 criteria shall include the following minimum content in order to provide customers with sufficient transparency about the information security of the cloud service: Functions and services with respect to the applicable C5 criteria provided by subservice organisations, including the type and scope of such functions and services, the location of processing and storage of data, the complexity and uniqueness of the functions and services as well as the resulting dependency of the Cloud Service Provider, (if carve-out method is applied) complementary controls assumed in the design of the Cloud Service Provider's controls, and the availability of audit reports according to the criteria in this criteria catalogue. Section 3.4.4.1 ¶ 1 Bullet 8 If necessary, the Cloud Service Provider will outsource parts of its business processes for the provision of the cloud service to other service providers (use of subservice organisations). The Cloud Service Provider describes this in its description and the auditor takes this into consideration as specified in the audit standards ISAE 3402. The standard distinguishes for an attestation engagement between the "inclusive method" and the "carve-out method": Section 3.4.5 ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Include monitoring controls in the audit assertion's in scope system description. CC ID 16501 | Establish/Maintain Documentation | Preventive | |
| Include availability commitments in the audit assertion's in scope system description. CC ID 14914 [{audit criteria} For an attestation engagement, the Cloud Service Provider's service-related system of internal control to meet the C5 criteria shall include the following minimum content in order to provide customers with sufficient transparency about the information security of the cloud service: Functions and services with respect to the applicable C5 criteria provided by subservice organisations, including the type and scope of such functions and services, the location of processing and storage of data, the complexity and uniqueness of the functions and services as well as the resulting dependency of the Cloud Service Provider, (if carve-out method is applied) complementary controls assumed in the design of the Cloud Service Provider's controls, and the availability of audit reports according to the criteria in this criteria catalogue. Section 3.4.4.1 ¶ 1 Bullet 8 When auditing operating effectiveness (type 2 reporting), the following minimum contents shall be added to the system description: Details on significant events and conditions that are exceptions to normal operation, that have occurred throughout the specified period and have resulted in: contractual agreements regarding the availability of the Cloud Service not being fulfilled, or Section 3.4.4.1 ¶ 2 Bullet 2 Sub-bullet 1] | Establish/Maintain Documentation | Preventive | |
| Include deviations and the corrective actions taken in the audit assertion's in scope system description. CC ID 16549 | Audits and Risk Management | Preventive | |
| Include changes in the audit assertion's in scope system description. CC ID 14894 [When auditing operating effectiveness (type 2 reporting), the following minimum contents shall be added to the system description: Details on significant changes to the policies, procedures and measures, including the controls, to govern the provisioning (development and operation) of the Cloud Services with respect to the applicable C5 Criteria, that have been implemented during the period under review; Section 3.4.4.1 ¶ 2 Bullet 1 If the Cloud Service Provider can provide evidence of additional controls not previously stated in the description, but in place for non-covered elements of the C5 criteria, the Cloud Service Provider shall include these controls in the description or adjust the existing control descriptions and present these changes in an appropriate form. Section 3.4.6 ¶ 2 In the course of a specified period, it may happen that the assessment of the effectiveness of the policies, procedures and measures applied by the Cloud Service Provider relates both to the status before and after the implementation of such adjustments. The system description should include the adjustments made (cf. Section 3.4.4.1). In the case of a direct engagement, the auditor must obtain and disclose this information. Section 3.5 ¶ 4 In the course of a specified period, it may happen that the assessment of the effectiveness of the policies, procedures and measures applied by the Cloud Service Provider relates both to the status before and after the implementation of such adjustments. The system description should include the adjustments made (cf. Section 3.4.4.1). In the case of a direct engagement, the auditor must obtain and disclose this information. Section 3.5 ¶ 4] | Establish/Maintain Documentation | Preventive | |
| Include external communications in the audit assertion's in scope system description. CC ID 14913 | Establish/Maintain Documentation | Preventive | |
| Include a section regarding incidents related to the system in the audit assertion’s in scope system description. CC ID 14878 [When auditing operating effectiveness (type 2 reporting), the following minimum contents shall be added to the system description: Details on significant events and conditions that are exceptions to normal operation, that have occurred throughout the specified period and have resulted in: Section 3.4.4.1 ¶ 2 Bullet 2 When auditing operating effectiveness (type 2 reporting), the following minimum contents shall be added to the system description: Details on significant events and conditions that are exceptions to normal operation, that have occurred throughout the specified period and have resulted in: unauthorised third parties having gained access to the data of cloud customers stored in the cloud service, or Section 3.4.4.1 ¶ 2 Bullet 2 Sub-bullet 2 When auditing operating effectiveness (type 2 reporting), the following minimum contents shall be added to the system description: Details on significant events and conditions that are exceptions to normal operation, that have occurred throughout the specified period and have resulted in: the integrity of the data stored in the cloud service was compromised and the protective measures put in place (e.g. data backup) were not effective, Section 3.4.4.1 ¶ 2 Bullet 2 Sub-bullet 3] | Establish/Maintain Documentation | Preventive | |
| Include the function performed by the in scope system in the audit assertion's in scope system description. CC ID 14911 | Establish/Maintain Documentation | Preventive | |
| Include the disposition of the incident in the audit assertion's in scope system description. CC ID 14896 | Establish/Maintain Documentation | Preventive | |
| Include the extent of the incident in the audit assertion's in scope system description. CC ID 14895 | Establish/Maintain Documentation | Preventive | |
| Include the timing of each incident in the audit assertion's in scope system description. CC ID 14891 | Establish/Maintain Documentation | Preventive | |
| Include the nature of each incident in the audit assertion's in scope system description. CC ID 14889 | Establish/Maintain Documentation | Preventive | |
| Include a section regarding in scope controls related to the system in the audit assertion's in scope system description. CC ID 14897 [When auditing operating effectiveness (type 2 reporting), the following minimum contents shall be added to the system description: Details on significant events and conditions that are exceptions to normal operation, that have occurred throughout the specified period and have resulted in: the integrity of the data stored in the cloud service was compromised and the protective measures put in place (e.g. data backup) were not effective, Section 3.4.4.1 ¶ 2 Bullet 2 Sub-bullet 3 When auditing operating effectiveness (type 2 reporting), the following minimum contents shall be added to the system description: Details on significant events and conditions that are exceptions to normal operation, that have occurred throughout the specified period and have resulted in: as well as the measures initiated by the Cloud Service Provider to prevent such events and conditions in the future. Section 3.4.4.1 ¶ 3 If the Cloud Service Provider can provide evidence of additional controls not previously stated in the description, but in place for non-covered elements of the C5 criteria, the Cloud Service Provider shall include these controls in the description or adjust the existing control descriptions and present these changes in an appropriate form. Section 3.4.6 ¶ 2 The report on an attestation engagement includes the following elements: Description of the Cloud Service Provider's service-related system of internal control to meet the C5 criteria. Section 3.4.8 ¶ 2 3.] | Establish/Maintain Documentation | Preventive | |
| Include how the in scope system meets external requirements in the audit assertion's in scope system description. CC ID 16502 | Establish/Maintain Documentation | Preventive | |
| Include the timing of each control in the audit assertion's in scope system description. CC ID 14916 | Establish/Maintain Documentation | Preventive | |
| Include the nature of the control in the audit assertion's in scope system description. CC ID 14910 | Establish/Maintain Documentation | Preventive | |
| Include the information sources used in performing the control in the audit assertion's in scope system description. CC ID 14909 | Establish/Maintain Documentation | Preventive | |
| Include the responsible party for performing the control in the audit assertion's in scope system description. CC ID 14907 | Establish/Maintain Documentation | Preventive | |
| Include the subject matter to which the control is applied in the audit assertion's in scope system description. CC ID 14904 | Establish/Maintain Documentation | Preventive | |
| Refrain from omitting or distorting information in the audit assertion's in scope system description. CC ID 14893 [{in scope system description} {refrain from distorting} The description shall not omit or distort any information relevant to the fulfilment of the applicable C5 criteria. This does not mean that all aspects of the service-related internal control system that can be considered important from the point of view of individual customers of the Cloud Service Provider should be presented. It should be noted that the description is intended to achieve an appropriate level of transparency for a broad range of customers and that some of the processes can be customised. Section 3.4.4.1 ¶ 5] | Establish/Maintain Documentation | Preventive | |
| Include the timing of each change in the audit assertion's in scope system description. CC ID 14892 | Establish/Maintain Documentation | Preventive | |
| Include the system boundaries in the audit assertion's in scope system description. CC ID 14887 | Establish/Maintain Documentation | Preventive | |
| Determine the presentation method of the audit assertion's in scope system description. CC ID 14885 | Establish/Maintain Documentation | Detective | |
| Include the time frame covered by the description in the audit assertion's in scope system description. CC ID 14884 [To the extent applicable for the certification or attestation, the following information are provided: date or period of validity or coverage. BC-06 ¶ 2 Bullet 3] | Establish/Maintain Documentation | Preventive | |
| Include commitments to third parties in the audit assertion. CC ID 14899 | Establish/Maintain Documentation | Preventive | |
| Determine the completeness of the audit assertion's in scope system description. CC ID 14883 | Establish/Maintain Documentation | Preventive | |
| Determine the appropriateness of the audit assertion's in scope system description. CC ID 16449 | Audits and Risk Management | Detective | |
| Include system requirements in the audit assertion's in scope system description. CC ID 14881 | Establish/Maintain Documentation | Preventive | |
| Include third party controls in the audit assertion's in scope system description. CC ID 14880 [{audit criteria} For an attestation engagement, the Cloud Service Provider's service-related system of internal control to meet the C5 criteria shall include the following minimum content in order to provide customers with sufficient transparency about the information security of the cloud service: Functions and services with respect to the applicable C5 criteria provided by subservice organisations, including the type and scope of such functions and services, the location of processing and storage of data, the complexity and uniqueness of the functions and services as well as the resulting dependency of the Cloud Service Provider, (if carve-out method is applied) complementary controls assumed in the design of the Cloud Service Provider's controls, and the availability of audit reports according to the criteria in this criteria catalogue. Section 3.4.4.1 ¶ 1 Bullet 8] | Establish/Maintain Documentation | Preventive | |
| Hold an opening meeting with interested personnel and affected parties prior to an audit. CC ID 15256 | Audits and Risk Management | Preventive | |
| Identify personnel who should attend the closing meeting. CC ID 15261 | Business Processes | Preventive | |
| Confirm audit requirements during the opening meeting. CC ID 15255 | Audits and Risk Management | Detective | |
| Include discussions about how particular situations will be handled in the opening meeting. CC ID 15254 | Audits and Risk Management | Preventive | |
| Include agreement to the audit scope and audit terms in the audit program. CC ID 06965 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain a bespoke audit scope for each audit being performed. CC ID 13077 | Establish/Maintain Documentation | Preventive | |
| Include third party assets in the audit scope. CC ID 16504 [{cannot provide} {complementary user entity control} In case no reports can be provided, the Cloud Service Provider agrees appropriate information and audit rights to assess the suitability and effectiveness of the service-related internal control system, including the complementary controls, by qualified personnel. SSO-01 ¶ 4] | Audits and Risk Management | Preventive | |
| Include audit subject matter in the audit program. CC ID 07103 | Establish/Maintain Documentation | Preventive | |
| Examine the availability of the audit criteria in the audit program. CC ID 16520 | Investigate | Preventive | |
| Examine the relevance of the audit criteria in the audit program. CC ID 07107 [{audit criteria} The Cloud Service Provider must explain in the description of the system if individual basic or additional criteria are not applicable due to the nature and design of the cloud service or the principles, procedures and measures of the Cloud Service Provider. Based on the information provided by the Cloud Service Provider, the auditor must assess to what extent the C5 criteria are not applicable, and if applicable whether they are fully applicable or partially fulfilled. The Cloud Service Provider must explain in the description of the system if individual basic or additional criteria are not applicable due to the nature and design of the cloud service or the principles, procedures and measures of the Cloud Service Provider. Based on the information provided by the Cloud Service Provider, the auditor must assess to what extent the C5 criteria are not applicable, and if applicable whether they are fully or partially fulfilled. Section 3.4.2.1 ¶ 2 {audit criteria} The Cloud Service Provider must explain in the description of the system if individual basic or additional criteria are not applicable due to the nature and design of the cloud service or the principles, procedures and measures of the Cloud Service Provider. Based on the information provided by the Cloud Service Provider, the auditor must assess to what extent the C5 criteria are not applicable, and if applicable whether they are fully applicable or partially fulfilled. The Cloud Service Provider must explain in the description of the system if individual basic or additional criteria are not applicable due to the nature and design of the cloud service or the principles, procedures and measures of the Cloud Service Provider. Based on the information provided by the Cloud Service Provider, the auditor must assess to what extent the C5 criteria are not applicable, and if applicable whether they are fully or partially fulfilled. Section 3.4.2.1 ¶ 2] | Establish/Maintain Documentation | Preventive | |
| Determine the appropriateness of the audit subject matter. CC ID 16505 | Audits and Risk Management | Preventive | |
| Disseminate and communicate the audit program with the audit subject matter and audit criteria to all interested personnel and affected parties. CC ID 07116 [Policies and instructions for planning and conducting audits are documented, communicated and made available in accordance with SP-01 and address the following aspects: COM-02 ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Include in scope information in the audit program. CC ID 16198 | Establish/Maintain Documentation | Preventive | |
| Include the date of the audit in the representation letter. CC ID 16517 | Audits and Risk Management | Preventive | |
| Include a statement that management has evaluated compliance with external requirements in the representation letter. CC ID 13942 | Establish/Maintain Documentation | Preventive | |
| Include a statement that management has disclosed the implementation status in the representation letter. CC ID 17162 | Audits and Risk Management | Preventive | |
| Include a statement that the assumptions used for estimates are reasonable in the representation letter. CC ID 13934 | Establish/Maintain Documentation | Preventive | |
| Include a statement that uncorrected misstatements are believed to be immaterial in the representation letter. CC ID 13884 | Establish/Maintain Documentation | Preventive | |
| Include a statement that system incidents have been disclosed to the auditor in the representation letter. CC ID 16772 | Establish/Maintain Documentation | Preventive | |
| Include a statement that incidents of fraud and non-compliance have been disclosed to the auditor in the representation letter. CC ID 16769 | Establish/Maintain Documentation | Preventive | |
| Include a statement that deficiencies in internal controls have been disclosed to the auditor in the representation letter. CC ID 13899 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain audit assertions, as necessary. CC ID 14871 | Establish/Maintain Documentation | Detective | |
| Include an in scope system description in the audit assertion. CC ID 14872 | Establish/Maintain Documentation | Preventive | |
| Include any assumptions that are improbable in the audit assertion. CC ID 13950 | Establish/Maintain Documentation | Preventive | |
| Include investigations and legal proceedings in the audit assertion. CC ID 16846 | Establish/Maintain Documentation | Preventive | |
| Include why specific criteria are ignored by in scope controls in the audit assertion. CC ID 07027 [{audit criteria} The Cloud Service Provider must explain in the description of the system if individual basic or additional criteria are not applicable due to the nature and design of the cloud service or the principles, procedures and measures of the Cloud Service Provider. Based on the information provided by the Cloud Service Provider, the auditor must assess to what extent the C5 criteria are not applicable, and if applicable whether they are fully applicable or partially fulfilled. The Cloud Service Provider must explain in the description of the system if individual basic or additional criteria are not applicable due to the nature and design of the cloud service or the principles, procedures and measures of the Cloud Service Provider. Based on the information provided by the Cloud Service Provider, the auditor must assess to what extent the C5 criteria are not applicable, and if applicable whether they are fully or partially fulfilled. Section 3.4.2.1 ¶ 2] | Establish/Maintain Documentation | Preventive | |
| Include the responsible party's opinion of the quality of the evidence in the audit assertion. CC ID 13949 | Establish/Maintain Documentation | Preventive | |
| Include any in scope uncorrected errors or non-compliance issues in the audit assertion. CC ID 06989 [If the specified period ends in a period which is up to three months before February 15, 2021, the Cloud Service Provider shall provide additional information in the system description regarding the necessary changes to its service-related internal control system which have not been completed. The details should include what measures are to be completed or effectively implemented. In the case of a direct engagement, the auditor shall obtain and disclose this information. Section 3.5 ¶ 5] | Establish/Maintain Documentation | Preventive | |
| Include the scope for the desired level of assurance in the audit program. CC ID 12793 [The ISAE 3000 (Revised) audit standard distinguishes between audit engagements with "reasonable assurance" and audit engagements with "limited assurance". According to the BSI, auditors should perform reasonable assurance audits to provide conformity with this criteria catalogue. Section 3.4.1 ¶ 2] | Communicate | Preventive | |
| Include how access to in scope systems, personnel and in scope records are provided to the auditor in the audit terms. CC ID 06988 [Irrespective of the assessment as to whether a deviation leads to a qualified opinion, further information should be presented in the audit report. This information is intended to enable report recipients to assess whether the Cloud Service Provider is taking appropriate actions to handle errors and optimise its policies, procedures and actions. The following additional information from the Cloud Service Provider shall be included in the audit report: If the deviation was already stated in a report of a previous audit, an indication should be given of when and by what means the deviation was detected, together with a separate indication that the detection occurred in a previous audit period. This requires that the auditor has access to prior reports from the Cloud Service Provider. In case of doubt, the auditor shall have the inspection of these reports separately assured in his engagement letter. Section 3.4.7 ¶ 2 Bullet 2] | Establish/Maintain Documentation | Preventive | |
| Include the criteria for determining the desired level of assurance in the audit program. CC ID 12795 [When assessing the coverage of C5 criteria by results obtained during other audits, particular consideration shall be given to the nature of the audit and compared with the 'reasonable assurance' required for an attestation engagement or a direct engagement (cf. Section 3.4.1). For example, results from ISO certification audits are to be assessed differently from those obtained from an ISAE 3000 audit. Section 3.3 ¶ 4] | Audits and Risk Management | Preventive | |
| Establish, implement, and maintain procedures for determining the desired level of assurance in the audit program. CC ID 12794 [According to ISAE 3000 (Revised), the auditor must determine before accepting an engagement that the professional duties (for auditors in Germany § 43 WPO, German Law regulating the Profession of Wirtschaftsprüfer: Wirtschaftsprüferordnung), including the duty of independence, are complied with. Based on the auditor's knowledge of the subject matter, the auditor shall assess whether the members of the audit team entrusted with the engagement have the necessary competency and understanding of the industry as well as capabilities to perform the audit and whether sufficient experience with the relevant formal requirements is available or can be obtained. Section 3.4.9 ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Establish and maintain a practitioner’s report on management’s assertions, as necessary. CC ID 13888 | Establish/Maintain Documentation | Preventive | |
| Refrain from changing the date of the practitioner's report on agreed-upon procedures when reissuing it. CC ID 13896 | Establish/Maintain Documentation | Corrective | |
| Hold a closing meeting following an audit to present audit findings and conclusions. CC ID 15248 | Communicate | Preventive | |
| Schedule attestation engagement meetings with interested personnel and affected parties, as necessary. CC ID 15263 | Business Processes | Preventive | |
| Refrain from performing an attestation engagement under defined conditions. CC ID 13952 | Audits and Risk Management | Detective | |
| Refrain from accepting an attestation engagement when the engaging party refuses to sign the engagement letter. CC ID 14912 | Business Processes | Preventive | |
| Refrain from accepting an attestation engagement unless the prospective financial information includes a summary of significant assumptions. CC ID 13954 | Behavior | Preventive | |
| Refrain from accepting an attestation engagement when all parties disagree on the procedures. CC ID 13951 | Audits and Risk Management | Preventive | |
| Accept the attestation engagement when all preconditions are met. CC ID 13933 | Business Processes | Preventive | |
| Audit in scope audit items and compliance documents. CC ID 06730 [Subject matter experts check the compliance of the information security management system at regular intervals, at least annually, with the relevant and applicable legal, regulatory, self-imposed or contractual requirements (cf. COM-01) as well as compliance with the policies and instructions (cf. SP-01) within their scope of responsibility (cf. OIS-01) through internal audits. COM-03 ¶ 1] | Audits and Risk Management | Preventive | |
| Conduct onsite inspections, as necessary. CC ID 16199 | Testing | Preventive | |
| Identify hypothetical assumptions in forecasts and projections during an audit. CC ID 13946 | Audits and Risk Management | Detective | |
| Refrain from examining forecasts and projections which refrain from disclosing assumptions during an audit. CC ID 13932 | Audits and Risk Management | Detective | |
| Audit policies, standards, and procedures. CC ID 12927 [Subject matter experts check the compliance of the information security management system at regular intervals, at least annually, with the relevant and applicable legal, regulatory, self-imposed or contractual requirements (cf. COM-01) as well as compliance with the policies and instructions (cf. SP-01) within their scope of responsibility (cf. OIS-01) through internal audits. COM-03 ¶ 1] | Audits and Risk Management | Preventive | |
| Audit cybersecurity risk management within the policies, standards, and procedures of the organization. CC ID 13011 | Investigate | Detective | |
| Audit the potential costs of compromise to information systems. CC ID 13012 | Investigate | Detective | |
| Investigate the nature and causes of misstatements in the audit assertion's in scope system description. CC ID 16557 | Audits and Risk Management | Detective | |
| Determine the effect of fraud and non-compliance on the description of the system in the audit assertion, as necessary. CC ID 13977 | Process or Activity | Detective | |
| Determine if the audit assertion's in scope controls are reasonable. CC ID 06980 [{in scope system description} In the written statement, management of the Cloud Service Provider confirms that: the controls stated in the description were suitably designed and implemented to meet the applicable C5 criteria as at a specified date (type 1 report) or throughout a specified period (type 2 report); and, Section 3.4.4.2 ¶ 1 Bullet 2] | Testing | Detective | |
| Determine the effect of fraud and non-compliance on the achievement of in scope controls in the audit assertion, as necessary. CC ID 13978 | Process or Activity | Detective | |
| Document test plans for auditing in scope controls. CC ID 06985 | Testing | Detective | |
| Determine the effectiveness of in scope controls. CC ID 06984 | Testing | Detective | |
| Review audit reports to determine the effectiveness of in scope controls. CC ID 12156 | Audits and Risk Management | Detective | |
| Interview stakeholders to determine the effectiveness of in scope controls. CC ID 12154 | Audits and Risk Management | Detective | |
| Review documentation to determine the effectiveness of in scope controls. CC ID 16522 | Process or Activity | Preventive | |
| Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144 | Audits and Risk Management | Detective | |
| Evaluate personnel status changes to determine the effectiveness of in scope controls. CC ID 16556 | Audits and Risk Management | Detective | |
| Determine whether individuals performing a control have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 16555 [{security requirements} The policies and instructions describe at least the following aspects: Roles and responsibilities, including staff qualification requirements and the establishment of substitution rules; SP-01 ¶ 3 Bullet 3] | Audits and Risk Management | Detective | |
| Refrain from using audit evidence that is not sufficient. CC ID 17163 | Audits and Risk Management | Preventive | |
| Report that audit evidence collected was not sufficient to the proper authorities. CC ID 16847 | Communicate | Preventive | |
| Establish, implement, and maintain interview procedures. CC ID 16282 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the interview procedures. CC ID 16297 | Human Resources Management | Preventive | |
| Coordinate the scheduling of interviews. CC ID 16293 | Process or Activity | Preventive | |
| Create a schedule for the interviews. CC ID 16292 | Process or Activity | Preventive | |
| Identify interviewees. CC ID 16290 | Process or Activity | Preventive | |
| Verify statements made by interviewees are correct. CC ID 16299 | Behavior | Detective | |
| Discuss unsolved questions with the interviewee. CC ID 16298 | Process or Activity | Detective | |
| Allow interviewee to respond to explanations. CC ID 16296 | Process or Activity | Detective | |
| Explain the requirements being discussed to the interviewee. CC ID 16294 | Process or Activity | Detective | |
| Explain the testing results to the interviewee. CC ID 16291 | Process or Activity | Preventive | |
| Withdraw from the audit, when defined conditions exist. CC ID 13885 | Process or Activity | Corrective | |
| Establish and maintain work papers, as necessary. CC ID 13891 | Establish/Maintain Documentation | Preventive | |
| Include the auditor's conclusions on work performed by individuals assigned to the audit in the work papers. CC ID 16775 | Establish/Maintain Documentation | Preventive | |
| Include audit irregularities in the work papers. CC ID 16774 | Establish/Maintain Documentation | Preventive | |
| Include corrective actions in the work papers. CC ID 16771 | Establish/Maintain Documentation | Preventive | |
| Include information about the organization being audited and the auditor performing the audit in the work papers. CC ID 16770 | Establish/Maintain Documentation | Preventive | |
| Include discussions with interested personnel and affected parties in the work papers. CC ID 16768 | Establish/Maintain Documentation | Preventive | |
| Include justification for departing from mandatory requirements in the work papers. CC ID 13935 | Establish/Maintain Documentation | Preventive | |
| Include audit evidence obtained from previous engagements in the work papers. CC ID 16518 | Audits and Risk Management | Preventive | |
| Engage subject matter experts when the auditor requires additional expertise during an attestation engagement, as necessary. CC ID 13971 | Process or Activity | Preventive | |
| Review the subject matter expert's findings. CC ID 16559 | Audits and Risk Management | Detective | |
| Establish, implement, and maintain a practitioner’s report on agreed-upon procedures. CC ID 13894 | Establish/Maintain Documentation | Preventive | |
| Provide auditors access to all in scope records, in scope assets, personnel and in scope procedures. CC ID 06966 [Irrespective of the assessment as to whether a deviation leads to a qualified opinion, further information should be presented in the audit report. This information is intended to enable report recipients to assess whether the Cloud Service Provider is taking appropriate actions to handle errors and optimise its policies, procedures and actions. The following additional information from the Cloud Service Provider shall be included in the audit report: If the deviation was already stated in a report of a previous audit, an indication should be given of when and by what means the deviation was detected, together with a separate indication that the detection occurred in a previous audit period. This requires that the auditor has access to prior reports from the Cloud Service Provider. In case of doubt, the auditor shall have the inspection of these reports separately assured in his engagement letter. Section 3.4.7 ¶ 2 Bullet 2 {cannot provide} {complementary user entity control} In case no reports can be provided, the Cloud Service Provider agrees appropriate information and audit rights to assess the suitability and effectiveness of the service-related internal control system, including the complementary controls, by qualified personnel. SSO-01 ¶ 4 Policies and instructions for planning and conducting audits are documented, communicated and made available in accordance with SP-01 and address the following aspects: Restriction to read-only access to system components in accordance with the agreed audit plan and as necessary to perform the activities; COM-02 ¶ 1 Bullet 1] | Audits and Risk Management | Preventive | |
| Permit assessment teams to conduct audits, as necessary. CC ID 16430 | Investigate | Detective | |
| Establish and maintain a practitioner's examination report on pro forma financial information. CC ID 13968 | Establish/Maintain Documentation | Preventive | |
| Include references to where financial information was derived in the practitioner's review report on pro forma financial information. CC ID 13982 | Establish/Maintain Documentation | Preventive | |
| Include a statement that the financial statements used were audited by other practitioners in the practitioner's examination report on pro forma financial information, as necessary. CC ID 13981 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain organizational audit reports. CC ID 06731 [{independent audit report} The report on an attestation engagement includes the following elements: Independent auditor's report Section 3.4.8 ¶ 2 1.] | Establish/Maintain Documentation | Preventive | |
| Determine what disclosures are required in the audit report. CC ID 14888 | Establish/Maintain Documentation | Detective | |
| Include the purpose in the audit report. CC ID 17263 [{independent audit report} The report on an attestation engagement includes the following elements: Intended users and purpose Section 3.4.8 ¶ 2 1 (g)] | Establish/Maintain Documentation | Preventive | |
| Include the justification for not following the applicable requirements in the audit report. CC ID 16822 | Audits and Risk Management | Preventive | |
| Include a statement that the applicable requirements were not followed in the audit report. CC ID 16821 | Audits and Risk Management | Preventive | |
| Include audit subject matter in the audit report. CC ID 14882 [In the case of a direct engagement, the auditor shall present the above-mentioned minimum content in all material aspects as part of the audit report so that the intended customers can obtain an appropriate understanding of the information security of the cloud service, including the principles, procedures and measures applied. This includes sufficient information on the general conditions of the cloud service (cf. Section 4). Section 3.4.4.1 ¶ 6] | Establish/Maintain Documentation | Preventive | |
| Include an other-matter paragraph in the audit report. CC ID 14901 | Establish/Maintain Documentation | Preventive | |
| Identify the audit team members in the audit report. CC ID 15259 [{independent audit report} Compliance with the qualification requirements shall be confirmed in the section "Independence and quality control of the auditor/auditing firm" of the independent auditor's report. Section 3.4.9 ¶ 6] | Human Resources Management | Detective | |
| Include that the auditee did not provide comments in the audit report. CC ID 16849 | Establish/Maintain Documentation | Preventive | |
| Include written agreements in the audit report. CC ID 17266 [In this context, a reference to a liability agreement must be made in the audit report. Section 3.4.10 ¶ 3] | Establish/Maintain Documentation | Preventive | |
| Write the audit report using clear and conspicuous language. CC ID 13948 | Establish/Maintain Documentation | Preventive | |
| Include a statement that the sufficiency of the agreed upon procedures is the responsibility of the specified parties in the audit report. CC ID 13936 | Establish/Maintain Documentation | Preventive | |
| Include a statement that the financial statements were audited in the audit report. CC ID 13963 | Establish/Maintain Documentation | Preventive | |
| Include the criteria that financial information was measured against in the audit report. CC ID 13966 | Establish/Maintain Documentation | Preventive | |
| Include a description of the financial information being reported on in the audit report. CC ID 13965 | Establish/Maintain Documentation | Preventive | |
| Include references to any adjustments of financial information in the audit report. CC ID 13964 | Establish/Maintain Documentation | Preventive | |
| Include in the audit report that audit opinions are not dependent on references to subject matter experts, as necessary. CC ID 13953 | Establish/Maintain Documentation | Preventive | |
| Include references to historical financial information used in the audit report. CC ID 13961 | Establish/Maintain Documentation | Preventive | |
| Include a statement about the inherent limitations of the audit in the audit report. CC ID 14900 [{independent audit report} The report on an attestation engagement includes the following elements: Inherent limitations Section 3.4.8 ¶ 2 1 (e)] | Establish/Maintain Documentation | Preventive | |
| Include a description of the limitations on the usefulness of hypothetical assumptions in the audit report. CC ID 13958 | Establish/Maintain Documentation | Preventive | |
| Include the word independent in the title of audit reports. CC ID 07003 [{independent audit report} The report on an attestation engagement includes the following elements: Independence and quality control of the auditor/auditing firm (including information on compliance with qualification requirements (cf. Section 3.4.9) Section 3.4.8 ¶ 2 1 (c)] | Actionable Reports or Measurements | Preventive | |
| Structure the audit report to be in the form of procedures and findings. CC ID 13940 | Establish/Maintain Documentation | Preventive | |
| Include information about the organization being audited and the auditor performing the audit in the audit report. CC ID 07004 [{independent audit report} The report on an attestation engagement includes the following elements: Independence and quality control of the auditor/auditing firm (including information on compliance with qualification requirements (cf. Section 3.4.9) Section 3.4.8 ¶ 2 1 (c)] | Actionable Reports or Measurements | Preventive | |
| Include any discussions of significant findings in the audit report. CC ID 13955 | Establish/Maintain Documentation | Preventive | |
| Include the date and with whom discussions about significant findings took place in the audit report. CC ID 13962 | Establish/Maintain Documentation | Preventive | |
| Include the audit criteria in the audit report. CC ID 13945 [{audit criteria} {be applicable} The applicable C5 criteria are to be presented in the audit report's section containing the C5 criteria, controls, test procedures and results. Section 3.4.2.1 ¶ 3 {audit criteria} The report on an attestation engagement includes the following elements: Presentation of the applicable C5 criteria, the associated controls (part of the description), test procedures performed and the individual test results of the auditor. Section 3.4.8 ¶ 2 4.] | Establish/Maintain Documentation | Preventive | |
| Include a statement in the audit report that the agreed upon procedures were potentially insufficient in identifying material risks, as necessary. CC ID 13957 | Establish/Maintain Documentation | Preventive | |
| Include all hypothetical assumptions in the audit report. CC ID 13947 | Establish/Maintain Documentation | Preventive | |
| Include a statement that access to the report is restricted based on least privilege in the audit report. CC ID 07023 [{independent audit report} The report on an attestation engagement includes the following elements: Intended users and purpose Section 3.4.8 ¶ 2 1 (g)] | Actionable Reports or Measurements | Preventive | |
| Include a statement that the agreed upon procedures involves collecting evidence in the audit report. CC ID 13956 | Establish/Maintain Documentation | Preventive | |
| Include a statement that the agreed upon procedures were performed by all parties in the audit report. CC ID 13931 | Establish/Maintain Documentation | Preventive | |
| Include references to subject matter experts in the audit report when citing qualified opinions. CC ID 13929 | Establish/Maintain Documentation | Preventive | |
| Include a description of the assistance provided by Subject Matter Experts in the audit report. CC ID 13939 | Establish/Maintain Documentation | Preventive | |
| Include a review of the subject matter expert's findings in the audit report. CC ID 13972 | Establish/Maintain Documentation | Preventive | |
| Include all restrictions on the audit in the audit report. CC ID 13930 | Establish/Maintain Documentation | Preventive | |
| Include a statement that the auditor has no responsibility to update the audit report after its submission. CC ID 13943 | Establish/Maintain Documentation | Preventive | |
| Include a statement on the auditor's ethical requirements in the audit report. CC ID 16767 | Establish/Maintain Documentation | Preventive | |
| Include a statement that the responsible party refused to provide a written assertion in the audit report. CC ID 13887 | Establish/Maintain Documentation | Preventive | |
| Include a statement that the examination involves procedures for collecting evidence in the audit report. CC ID 13941 | Establish/Maintain Documentation | Preventive | |
| Express an adverse opinion in the audit report when significant assumptions are not suitably supported. CC ID 13944 | Establish/Maintain Documentation | Preventive | |
| Include a statement that modifications to historical evidence accurately reflect current evidence in the audit report. CC ID 13938 | Establish/Maintain Documentation | Preventive | |
| Refrain from referencing previous engagements in the audit report. CC ID 16516 | Audits and Risk Management | Preventive | |
| Refrain from referencing other auditor's work in the audit report. CC ID 13881 | Establish/Maintain Documentation | Preventive | |
| Identify the participants from the organization being audited in the audit report. CC ID 15258 | Audits and Risk Management | Detective | |
| Include how in scope controls meet external requirements in the audit report. CC ID 16450 | Establish/Maintain Documentation | Preventive | |
| Include the in scope records used to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14915 | Establish/Maintain Documentation | Preventive | |
| Include recommended corrective actions in the audit report. CC ID 16197 [Irrespective of the assessment as to whether a deviation leads to a qualified opinion, further information should be presented in the audit report. This information is intended to enable report recipients to assess whether the Cloud Service Provider is taking appropriate actions to handle errors and optimise its policies, procedures and actions. The following additional information from the Cloud Service Provider shall be included in the audit report: The measures to be taken to remedy the deviation in the future and when these measures are likely to be completed or effectively implemented. Section 3.4.7 ¶ 2 Bullet 3] | Establish/Maintain Documentation | Preventive | |
| Include the cost of corrective action in the audit report. CC ID 17015 | Audits and Risk Management | Preventive | |
| Include risks and opportunities in the audit report. CC ID 16196 | Establish/Maintain Documentation | Preventive | |
| Include the description of tests of controls and results in the audit report. CC ID 14898 [In the case of a direct engagement, the auditor shall present the above-mentioned minimum content in all material aspects as part of the audit report so that the intended customers can obtain an appropriate understanding of the information security of the cloud service, including the principles, procedures and measures applied. This includes sufficient information on the general conditions of the cloud service (cf. Section 4). Section 3.4.4.1 ¶ 6 {audit criteria} The report on an attestation engagement includes the following elements: Presentation of the applicable C5 criteria, the associated controls (part of the description), test procedures performed and the individual test results of the auditor. Section 3.4.8 ¶ 2 4. {audit criteria} The report on an attestation engagement includes the following elements: Presentation of the applicable C5 criteria, the associated controls (part of the description), test procedures performed and the individual test results of the auditor. Section 3.4.8 ¶ 2 4. {audit criteria} The report on an attestation engagement includes the following elements: Presentation of the applicable C5 criteria, the associated controls (part of the description), test procedures performed and the individual test results of the auditor. Section 3.4.8 ¶ 2 4. In case of a direct engagement, the components 2 'Written statement' and 3 'Description' are omitted. Nevertheless, the minimum contents of the description mentioned in Section 3.4.4.1 shall be presented in all material respects in the audit report so that the intended customers can obtain an appropriate understanding of the information security of the cloud service, including the principles, procedures and measures applied. This includes sufficient information on the general conditions of the cloud service (cf. Section 4). Such information shall be provided in a separate section, e.g. "Description of the cloud service and the policies, procedures and measures applied by the Cloud Service Provider". Section 3.4.8 ¶ 3 An adjustment of the description may be waived if the descriptions of the auditor's test procedures clearly state how the elements of the C5 criteria not covered by the control description were audited. Such test procedures shall be marked in an appropriate form (e.g. "Further test procedure for assessing full coverage of the C5 criterion"). Section 3.4.6 ¶ 3] | Establish/Maintain Documentation | Preventive | |
| Include the nature of the tests performed in the description of tests of controls and results in the audit report. CC ID 14908 [The test procedures performed shall be described for both suitability of design (type 1 report) and operating effectiveness (type 2 report) engagements. Section 3.4.8 ¶ 4 An adjustment of the description may be waived if the descriptions of the auditor's test procedures clearly state how the elements of the C5 criteria not covered by the control description were audited. Such test procedures shall be marked in an appropriate form (e.g. "Further test procedure for assessing full coverage of the C5 criterion"). Section 3.4.6 ¶ 3] | Establish/Maintain Documentation | Preventive | |
| Include the test scope in the description of tests of controls and results in the audit report. CC ID 14906 | Establish/Maintain Documentation | Preventive | |
| Identify the stakeholders interviewed to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14905 | Establish/Maintain Documentation | Preventive | |
| Include the timing of controls in the description of tests of controls and results in the audit report. CC ID 16553 | Audits and Risk Management | Preventive | |
| Include the controls that were tested in the description of tests of controls and results in the audit report. CC ID 14902 [{in scope system description} In the written statement, management of the Cloud Service Provider confirms that: where mandated (type 2 report), the controls stated in the description operated effectively throughout a specified period. Section 3.4.4.2 ¶ 1 Bullet 3] | Establish/Maintain Documentation | Preventive | |
| Include subsequent events related to the audit assertion or audit subject matter in the audit report. CC ID 16773 | Establish/Maintain Documentation | Preventive | |
| Include the organization's audit assertion of the in scope system in the audit report. CC ID 07005 [{in scope system description} In the written statement, management of the Cloud Service Provider confirms that: the description fairly presents the Cloud Service Provider's service-related system of internal control to meet the C5 criteria as at a specified date (type 1 report) or throughout a specified period (type 2 report) and includes the minimum content as set forth in Section 3.4.4.1 this criteria catalogue; Section 3.4.4.2 ¶ 1 Bullet 1 {responsible personnel} The report on an attestation engagement includes the following elements: Written statement by the Cloud Service Provider's management responsible for the cloud service(s). Section 3.4.8 ¶ 2 2. {independent audit report} The report on an attestation engagement includes the following elements: Cloud Service Provider's responsibility Section 3.4.8 ¶ 2 1 (b)] | Actionable Reports or Measurements | Preventive | |
| Include that the organization is the responsible party for providing in scope services in the audit report. CC ID 14903 | Establish/Maintain Documentation | Preventive | |
| Include the audit opinion regarding the accurateness of the in scope system description in the audit report. CC ID 07019 [{in scope system description} In the written statement, management of the Cloud Service Provider confirms that: the description fairly presents the Cloud Service Provider's service-related system of internal control to meet the C5 criteria as at a specified date (type 1 report) or throughout a specified period (type 2 report) and includes the minimum content as set forth in Section 3.4.4.1 this criteria catalogue; Section 3.4.4.2 ¶ 1 Bullet 1] | Establish/Maintain Documentation | Preventive | |
| Include the attestation standards the auditor follows in the audit report. CC ID 07015 [{attestation engagement} The Cloud Service Provider shall select the method to be used at its own discretion and state it accordingly in the description (cf. Section 3.4.4.1 on Minimum Contents of the System Description). Section 3.4.5 ¶ 2 {independent audit report} {audit criteria} The report on an attestation engagement includes the following elements: Scope and C5 version Section 3.4.8 ¶ 2 1 (a)] | Establish/Maintain Documentation | Preventive | |
| Include an emphasis-of-matter paragraph in the audit report. CC ID 14890 | Establish/Maintain Documentation | Preventive | |
| Include the organization's in scope system description in the audit report. CC ID 11626 [In the case of a direct engagement, the auditor shall present the above-mentioned minimum content in all material aspects as part of the audit report so that the intended customers can obtain an appropriate understanding of the information security of the cloud service, including the principles, procedures and measures applied. This includes sufficient information on the general conditions of the cloud service (cf. Section 4). Section 3.4.4.1 ¶ 6 In case of a direct engagement, the components 2 'Written statement' and 3 'Description' are omitted. Nevertheless, the minimum contents of the description mentioned in Section 3.4.4.1 shall be presented in all material respects in the audit report so that the intended customers can obtain an appropriate understanding of the information security of the cloud service, including the principles, procedures and measures applied. This includes sufficient information on the general conditions of the cloud service (cf. Section 4). Such information shall be provided in a separate section, e.g. "Description of the cloud service and the policies, procedures and measures applied by the Cloud Service Provider". Section 3.4.8 ¶ 3 In case of a direct engagement, the components 2 'Written statement' and 3 'Description' are omitted. Nevertheless, the minimum contents of the description mentioned in Section 3.4.4.1 shall be presented in all material respects in the audit report so that the intended customers can obtain an appropriate understanding of the information security of the cloud service, including the principles, procedures and measures applied. This includes sufficient information on the general conditions of the cloud service (cf. Section 4). Such information shall be provided in a separate section, e.g. "Description of the cloud service and the policies, procedures and measures applied by the Cloud Service Provider". Section 3.4.8 ¶ 3] | Audits and Risk Management | Preventive | |
| Include any out of scope components of in scope systems in the audit report. CC ID 07006 [The report on an attestation engagement includes the following elements: Optional: Other information provided by the Cloud Service Provider (this information is not subject of the audit, and, accordingly, the auditor does not express an opinion thereon). Section 3.4.8 ¶ 2 5.] | Establish/Maintain Documentation | Preventive | |
| Include the scope and work performed in the audit report. CC ID 11621 [{independent audit report} {audit criteria} The report on an attestation engagement includes the following elements: Scope and C5 version Section 3.4.8 ¶ 2 1 (a)] | Audits and Risk Management | Preventive | |
| Refrain from including the description of the audit in the audit report when the auditor is disclaiming an audit opinion. CC ID 13975 | Establish/Maintain Documentation | Preventive | |
| Refrain from including scope limitations from changed attestation engagements in the audit report. CC ID 13983 | Establish/Maintain Documentation | Preventive | |
| Refrain from including in the audit report any procedures that were performed that the auditor is disclaiming in an audit opinion. CC ID 13974 | Establish/Maintain Documentation | Preventive | |
| Include deficiencies and non-compliance in the audit report. CC ID 14879 [Irrespective of the assessment as to whether a deviation leads to a qualified opinion, further information should be presented in the audit report. This information is intended to enable report recipients to assess whether the Cloud Service Provider is taking appropriate actions to handle errors and optimise its policies, procedures and actions. The following additional information from the Cloud Service Provider shall be included in the audit report: If the deviation was detected by the Cloud Service Provider itself, when and in the course of which measures the deviation was detected. Section 3.4.7 ¶ 2 Bullet 1 Irrespective of the assessment as to whether a deviation leads to a qualified opinion, further information should be presented in the audit report. This information is intended to enable report recipients to assess whether the Cloud Service Provider is taking appropriate actions to handle errors and optimise its policies, procedures and actions. The following additional information from the Cloud Service Provider shall be included in the audit report: Section 3.4.7 ¶ 2 Irrespective of the assessment as to whether a deviation leads to a qualified opinion, further information should be presented in the audit report. This information is intended to enable report recipients to assess whether the Cloud Service Provider is taking appropriate actions to handle errors and optimise its policies, procedures and actions. The following additional information from the Cloud Service Provider shall be included in the audit report: If the deviation was already stated in a report of a previous audit, an indication should be given of when and by what means the deviation was detected, together with a separate indication that the detection occurred in a previous audit period. This requires that the auditor has access to prior reports from the Cloud Service Provider. In case of doubt, the auditor shall have the inspection of these reports separately assured in his engagement letter. Section 3.4.7 ¶ 2 Bullet 2] | Establish/Maintain Documentation | Corrective | |
| Determine the effect of deficiencies on the audit report, as necessary. CC ID 14886 | Investigate | Detective | |
| Determine the effect of fraud and non-compliance on the audit report, as necessary. CC ID 13979 | Process or Activity | Detective | |
| Include the results of the business impact analysis in the audit report. CC ID 17208 | Establish/Maintain Documentation | Preventive | |
| Include an audit opinion in the audit report. CC ID 07017 [{independent audit report} The report on an attestation engagement includes the following elements: Audit Opinion Section 3.4.8 ¶ 2 1 (f)] | Establish/Maintain Documentation | Preventive | |
| Include qualified opinions in the audit report. CC ID 13928 [Deviation handling is regulated in the audit standards. In assessing whether applicable C5 criteria are not met due to identified deviations and whether the opinion needs to be qualified, the auditor must consider the following procedures: Inquiry of management of the Cloud Service Provider regarding their assessment of the cause of the identified deviation; Section 3.4.7 ¶ 1 Bullet 1 Deviation handling is regulated in the audit standards. In assessing whether applicable C5 criteria are not met due to identified deviations and whether the opinion needs to be qualified, the auditor must consider the following procedures: Assessment of the Cloud Service Provider's handling of the identified deviation; Section 3.4.7 ¶ 1 Bullet 2 Deviation handling is regulated in the audit standards. In assessing whether applicable C5 criteria are not met due to identified deviations and whether the opinion needs to be qualified, the auditor must consider the following procedures: Assessment whether comparable deviations have been identified by the Cloud Service Provider's monitoring processes and what measures have been taken as a result; and, Section 3.4.7 ¶ 1 Bullet 3 Deviation handling is regulated in the audit standards. In assessing whether applicable C5 criteria are not met due to identified deviations and whether the opinion needs to be qualified, the auditor must consider the following procedures: Assessment whether comparable deviations have been identified by the Cloud Service Provider's monitoring processes and what measures have been taken as a result; and, Section 3.4.7 ¶ 1 Bullet 3 Deviation handling is regulated in the audit standards. In assessing whether applicable C5 criteria are not met due to identified deviations and whether the opinion needs to be qualified, the auditor must consider the following procedures: Verification whether compensating controls are in place and effective to address the risks arising from the deviation in such a way that the C5 criterion is met with reasonable assurance. This concerns, for example, the assessment of alternative organisational and technical approaches of the Cloud Service Provider to meet the applicable C5 criteria, which have not been considered in the design of the criteria set out in this criteria catalogue. Section 3.4.7 ¶ 1 Bullet 4] | Establish/Maintain Documentation | Preventive | |
| Include a description of the reasons for modifying the audit opinion in the audit report. CC ID 13898 | Establish/Maintain Documentation | Corrective | |
| Include that the auditor did not express an opinion in the audit report, as necessary. CC ID 13886 | Establish/Maintain Documentation | Preventive | |
| Disclaim the audit opinion in the audit report, as necessary. CC ID 13901 | Business Processes | Corrective | |
| Include items that pertain to third parties in the audit report. CC ID 07008 [{independent audit report} {internal control system} The reports include the complementary subservice organisations that are required, together with the controls of the Cloud Service Provider, to meet the applicable basic criteria of BSI C5 with reasonable assurance. SSO-01 ¶ 3] | Establish/Maintain Documentation | Preventive | |
| Refrain from including reference to procedures performed in previous attestation engagements in the audit report. CC ID 13970 | Establish/Maintain Documentation | Preventive | |
| Include a statement in the audit report that no procedures were performed subsequent to the date of the practitioner's review report on pro forma financial information, as necessary. CC ID 13969 | Establish/Maintain Documentation | Preventive | |
| Modify the audit opinion in the audit report under defined conditions. CC ID 13937 | Establish/Maintain Documentation | Corrective | |
| Include the written signature of the auditor's organization in the audit report. CC ID 13897 | Establish/Maintain Documentation | Preventive | |
| Include a statement that additional reports are being submitted in the audit report. CC ID 16848 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the audit report to all interested personnel and affected parties identified in the distribution list. CC ID 07117 [If the specified period ends in a period which is up to three months before February 15, 2021, the Cloud Service Provider shall provide additional information in the system description regarding the necessary changes to its service-related internal control system which have not been completed. The details should include what measures are to be completed or effectively implemented. In the case of a direct engagement, the auditor shall obtain and disclose this information. Section 3.5 ¶ 5] | Establish/Maintain Documentation | Preventive | |
| Define the roles and responsibilities for distributing the audit report. CC ID 16845 | Human Resources Management | Preventive | |
| Disseminate and communicate the reasons the audit report was delayed to interested personnel and affected parties. CC ID 15257 | Communicate | Preventive | |
| Notify auditees if disclosure of audit documentation is required by law. CC ID 15249 | Communicate | Preventive | |
| Implement a corrective action plan in response to the audit report. CC ID 06777 [If the specified period ends in a period which is up to three months before February 15, 2021, the Cloud Service Provider shall provide additional information in the system description regarding the necessary changes to its service-related internal control system which have not been completed. The details should include what measures are to be completed or effectively implemented. In the case of a direct engagement, the auditor shall obtain and disclose this information. Section 3.5 ¶ 5] | Establish/Maintain Documentation | Corrective | |
| Monitor and report on the status of mitigation actions in the corrective action plan. CC ID 15250 [Irrespective of the assessment as to whether a deviation leads to a qualified opinion, further information should be presented in the audit report. This information is intended to enable report recipients to assess whether the Cloud Service Provider is taking appropriate actions to handle errors and optimise its policies, procedures and actions. The following additional information from the Cloud Service Provider shall be included in the audit report: The measures to be taken to remedy the deviation in the future and when these measures are likely to be completed or effectively implemented. Section 3.4.7 ¶ 2 Bullet 3] | Actionable Reports or Measurements | Corrective | |
| Assess the quality of the audit program in regards to the staff and their qualifications. CC ID 01150 [{independent audit report} The report on an attestation engagement includes the following elements: Independence and quality control of the auditor/auditing firm (including information on compliance with qualification requirements (cf. Section 3.4.9) Section 3.4.8 ¶ 2 1 (c) According to ISAE 3000 (Revised), the auditor must determine before accepting an engagement that the professional duties (for auditors in Germany § 43 WPO, German Law regulating the Profession of Wirtschaftsprüfer: Wirtschaftsprüferordnung), including the duty of independence, are complied with. Based on the auditor's knowledge of the subject matter, the auditor shall assess whether the members of the audit team entrusted with the engagement have the necessary competency and understanding of the industry as well as capabilities to perform the audit and whether sufficient experience with the relevant formal requirements is available or can be obtained. Section 3.4.9 ¶ 1] | Testing | Detective | |
| Evaluate the competency of auditors. CC ID 15253 | Human Resources Management | Detective | |
| Assess the quality of the audit program in regards to its documentation. CC ID 11622 | Audits and Risk Management | Preventive | |
| Establish, implement, and maintain the audit plan. CC ID 01156 [Policies and instructions for planning and conducting audits are documented, communicated and made available in accordance with SP-01 and address the following aspects: COM-02 ¶ 1] | Testing | Detective | |
| Include the audit criteria in the audit plan. CC ID 15262 [The criteria in this criteria catalogue shall be applied for periods being assessed ending on or after February 15, 2021. Earlier application of these criteria is permitted. Section 3.5 ¶ 3] | Establish/Maintain Documentation | Preventive | |
| Include a list of reference documents in the audit plan. CC ID 15260 | Establish/Maintain Documentation | Preventive | |
| Include the languages to be used for the audit in the audit plan. CC ID 15252 | Establish/Maintain Documentation | Preventive | |
| Include the allocation of resources in the audit plan. CC ID 15251 | Establish/Maintain Documentation | Preventive | |
| Include communication protocols in the audit plan. CC ID 15247 | Establish/Maintain Documentation | Preventive | |
| Include the level of audit sampling necessary to collect sufficient audit evidence in the audit plan. CC ID 15246 | Establish/Maintain Documentation | Preventive | |
| Include meeting schedules in the audit plan. CC ID 15245 | Establish/Maintain Documentation | Preventive | |
| Include the time frames for the audit in the audit plan. CC ID 15244 | Establish/Maintain Documentation | Preventive | |
| Include the time frames for conducting the audit in the audit plan. CC ID 15243 | Establish/Maintain Documentation | Preventive | |
| Include the locations to be audited in the audit plan. CC ID 15242 | Establish/Maintain Documentation | Preventive | |
| Include the processes to be audited in the audit plan. CC ID 15241 | Establish/Maintain Documentation | Preventive | |
| Include audit objectives in the audit plan. CC ID 15240 | Establish/Maintain Documentation | Preventive | |
| Include the risks associated with audit activities in the audit plan. CC ID 15239 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the audit plan to interested personnel and affected parties. CC ID 15238 [Policies and instructions for planning and conducting audits are documented, communicated and made available in accordance with SP-01 and address the following aspects: COM-02 ¶ 1] | Communicate | Preventive | |
| Establish, implement, and maintain a risk management program. CC ID 12051 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a risk management policy. CC ID 17192 [{annual basis} The Cloud Service Provider executes the process for handling risks as needed or at least once a year. The following aspects are taken into account when identifying risks, insofar as they are applicable to the cloud service provided and are within the area of responsibility of the Cloud Service Provider: OIS-07 ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain the risk assessment framework. CC ID 00685 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a risk assessment program. CC ID 00687 [Identified vulnerabilities and deviations are subject to risk assessment in accordance with the risk management procedure (cf. OIS-06) and follow-up measures are defined and tracked (cf. OPS-18). COS-03 ¶ 3] | Establish/Maintain Documentation | Preventive | |
| Employ third parties when implementing a risk assessment, as necessary. CC ID 16306 | Human Resources Management | Detective | |
| Include the information flow of restricted data in the risk assessment program. CC ID 12339 [{confidentiality} {authentication information} Deviations are evaluated by means of a risk analysis and mitigating measures derived from this are implemented. IDM-08 ¶ 2] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain insurance requirements. CC ID 16562 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate insurance options to interested personnel and affected parties. CC ID 16572 | Communicate | Preventive | |
| Disseminate and communicate insurance requirements to interested personnel and affected parties. CC ID 16567 | Communicate | Preventive | |
| Purchase insurance on behalf of interested personnel and affected parties. CC ID 16571 | Acquisition/Sale of Assets or Services | Corrective | |
| Address cybersecurity risks in the risk assessment program. CC ID 13193 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain fundamental rights impact assessments. CC ID 17217 | Audits and Risk Management | Preventive | |
| Include the categories of data used by the system in the fundamental rights impact assessment. CC ID 17248 | Establish/Maintain Documentation | Preventive | |
| Include metrics in the fundamental rights impact assessment. CC ID 17249 | Establish/Maintain Documentation | Preventive | |
| Include the benefits of the system in the fundamental rights impact assessment. CC ID 17244 | Establish/Maintain Documentation | Preventive | |
| Include user safeguards in the fundamental rights impact assessment. CC ID 17255 | Establish/Maintain Documentation | Preventive | |
| Include the outputs produced by the system in the fundamental rights impact assessment. CC ID 17247 | Establish/Maintain Documentation | Preventive | |
| Include the purpose in the fundamental rights impact assessment. CC ID 17243 | Establish/Maintain Documentation | Preventive | |
| Include monitoring procedures in the fundamental rights impact assessment. CC ID 17254 | Establish/Maintain Documentation | Preventive | |
| Include risk management measures in the fundamental rights impact assessment. CC ID 17224 | Establish/Maintain Documentation | Preventive | |
| Include human oversight measures in the fundamental rights impact assessment. CC ID 17223 | Establish/Maintain Documentation | Preventive | |
| Include risks in the fundamental rights impact assessment. CC ID 17222 | Establish/Maintain Documentation | Preventive | |
| Include affected parties in the fundamental rights impact assessment. CC ID 17221 | Establish/Maintain Documentation | Preventive | |
| Include the frequency in the fundamental rights impact assessment. CC ID 17220 | Establish/Maintain Documentation | Preventive | |
| Include the usage duration in the fundamental rights impact assessment. CC ID 17219 | Establish/Maintain Documentation | Preventive | |
| Include system use in the fundamental rights impact assessment. CC ID 17218 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830 | Process or Activity | Preventive | |
| Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313 | Communicate | Preventive | |
| Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a risk assessment policy. CC ID 14026 | Establish/Maintain Documentation | Preventive | |
| Include compliance requirements in the risk assessment policy. CC ID 14121 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the risk assessment policy. CC ID 14120 | Establish/Maintain Documentation | Preventive | |
| Include management commitment in the risk assessment policy. CC ID 14119 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the risk assessment policy. CC ID 14118 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the risk assessment policy. CC ID 14117 | Establish/Maintain Documentation | Preventive | |
| Include the purpose in the risk assessment policy. CC ID 14116 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the risk assessment policy to interested personnel and affected parties. CC ID 14115 | Communicate | Preventive | |
| Establish, implement, and maintain risk assessment procedures. CC ID 06446 [{annual basis} The analysis, evaluation and treatment of risks, including the approval of actions and acceptance of residual risks, is reviewed for adequacy at least annually by the risk owners. OIS-07 ¶ 2 {vulnerabilities} {assets} The online register is easily accessible to any cloud customer. The information contained therein forms a suitable basis for risk assessment and possible follow-up measures on the part of cloud users. PSS-03 ¶ 3] | Establish/Maintain Documentation | Preventive | |
| Analyze the organization's information security environment. CC ID 13122 | Technical Security | Preventive | |
| Employ risk assessment procedures that take into account information classification. CC ID 06477 [The Cloud Service Provider executes the process for handling risks as needed or at least once a year. The following aspects are taken into account when identifying risks, insofar as they are applicable to the cloud service provided and are within the area of responsibility of the Cloud Service Provider: Processing, storage or transmission of data of cloud customers with different protection needs; OIS-07 ¶ 1 Bullet 1] | Establish/Maintain Documentation | Preventive | |
| Engage appropriate parties to assist with risk assessments, as necessary. CC ID 12153 | Human Resources Management | Preventive | |
| Employ risk assessment procedures that take into account the target environment. CC ID 06479 [The Cloud Service Provider executes the process for handling risks as needed or at least once a year. The following aspects are taken into account when identifying risks, insofar as they are applicable to the cloud service provided and are within the area of responsibility of the Cloud Service Provider: Occurrence of vulnerabilities and malfunctions in technical protective measures for separating shared resources; OIS-07 ¶ 1 Bullet 2] | Establish/Maintain Documentation | Preventive | |
| Employ risk assessment procedures that take into account risk factors. CC ID 16560 [The risk assessment covers the following areas, insofar as these are applicable to the provision of the Cloud Service and are in the area of responsibility of the Cloud Service Provider: Administration of rights profiles, approval and assignment of access and access authorisations (cf. IDM-01); OIS-04 ¶ 2 Bullet 1 The cloud customer is informed by the Cloud Service Provider whenever internal or external employees of the Cloud Service Provider read or write to the cloud customer's data processed, stored or transmitted in the cloud service or have accessed it without the prior consent of the cloud customer. The Information is provided whenever data of the cloud customer is/was not encrypted, the encryption is/was disabled for access or the contractual agreements do not explicitly exclude such information. The information contains the cause, time, duration, type and scope of the access. The information is sufficiently detailed to enable subject matter experts of the cloud customer to assess the risks of the access. The information is provided in accordance with the contractual agreements, or within 72 hours after the access. IDM-07 ¶ 1] | Audits and Risk Management | Preventive | |
| Include security threats and vulnerabilities in the threat and risk classification scheme. CC ID 00699 [The Cloud Service Provider leverages relevant authorities and interest groups in order to stay informed about current threats and vulnerabilities. The information flows into the procedures for handling risks (cf. OIS-06) and vulnerabilities (cf. OPS-19). OIS-05 ¶ 1] | Technical Security | Preventive | |
| Review the risk profiles, as necessary. CC ID 16561 | Audits and Risk Management | Detective | |
| Include risks to critical personnel and assets in the threat and risk classification scheme. CC ID 00698 [Policies and instructions for risk management procedures are documented, communicated and provided in accordance with SP-01 for the following aspects: Identification of risks associated with the loss of confidentiality, integrity, availability and authenticity of information within the scope of the ISMS and assigning risk owners; OIS-06 ¶ 1 Bullet 1 The risk assessment includes the identification, analysis, evaluation, handling and documentation of risks with regard to the following aspects: SSO-02 ¶ 2] | Audits and Risk Management | Preventive | |
| Assign a probability of occurrence to all types of threats in the threat and risk classification scheme. CC ID 01173 [Policies and instructions for risk management procedures are documented, communicated and provided in accordance with SP-01 for the following aspects: Analysis of the probability and impact of occurrence and determination of the level of risk; OIS-06 ¶ 1 Bullet 2] | Audits and Risk Management | Preventive | |
| Approve the threat and risk classification scheme. CC ID 15693 | Business Processes | Preventive | |
| Disseminate and communicate the risk assessment procedures to interested personnel and affected parties. CC ID 14136 | Communicate | Preventive | |
| Perform risk assessments for all target environments, as necessary. CC ID 06452 [The Cloud Service Provider executes the process for handling risks as needed or at least once a year. The following aspects are taken into account when identifying risks, insofar as they are applicable to the cloud service provided and are within the area of responsibility of the Cloud Service Provider: Attacks via access points, including interfaces accessible from public networks; OIS-07 ¶ 1 Bullet 3 The risk assessment covers the following areas, insofar as these are applicable to the provision of the Cloud Service and are in the area of responsibility of the Cloud Service Provider: Operation of the system components. OIS-04 ¶ 2 Bullet 3 The risk assessment includes the identification, analysis, evaluation, handling and documentation of risks with regard to the following aspects: SSO-02 ¶ 2] | Testing | Preventive | |
| Include the probability and potential impact of pandemics in the scope of the risk assessment. CC ID 13241 | Establish/Maintain Documentation | Preventive | |
| Include physical assets in the scope of the risk assessment. CC ID 13075 [Security requirements for premises and buildings related to the cloud service provided, are based on the security objectives of the information security policy, identified protection requirements for the cloud service and the assessment of risks to physical and environmental security. The security requirements are documented, communicated and provided in a policy or concept according to SP-01. PS-01 ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Document any reasons for modifying or refraining from modifying the organization's risk assessment when the risk assessment has been reviewed. CC ID 13312 | Establish/Maintain Documentation | Preventive | |
| Create a risk assessment report based on the risk assessment results. CC ID 15695 | Establish/Maintain Documentation | Preventive | |
| Conduct external audits of risk assessments, as necessary. CC ID 13308 | Audits and Risk Management | Detective | |
| Notify the organization upon completion of the external audits of the organization's risk assessment. CC ID 13313 | Communicate | Preventive | |
| Evaluate the effectiveness of threat and vulnerability management procedures. CC ID 13491 [Identified vulnerabilities and deviations are subject to risk assessment in accordance with the risk management procedure (cf. OIS-06) and follow-up measures are defined and tracked (cf. OPS-18). COM-03 ¶ 2] | Investigate | Detective | |
| Correlate the business impact of identified risks in the risk assessment report. CC ID 00686 [Policies and instructions to determine the impact of any malfunction to the cloud service or enterprise are documented, communicated and made available in accordance with SP-01. The following aspects are considered as minimum: Possible scenarios based on a risk analysis; BCM-02 ¶ 1 Bullet 1] | Audits and Risk Management | Preventive | |
| Conduct a Business Impact Analysis, as necessary. CC ID 01147 | Audits and Risk Management | Detective | |
| Include recovery of the critical path in the Business Impact Analysis. CC ID 13224 | Establish/Maintain Documentation | Preventive | |
| Include acceptable levels of data loss in the Business Impact Analysis. CC ID 13264 | Establish/Maintain Documentation | Preventive | |
| Include Recovery Point Objectives in the Business Impact Analysis. CC ID 13223 [Policies and instructions to determine the impact of any malfunction to the cloud service or enterprise are documented, communicated and made available in accordance with SP-01. The following aspects are considered as minimum: Determination of time targets for the maximum reasonable period during which data can be lost and not recovered (RPO); and BCM-02 ¶ 1 Bullet 9] | Establish/Maintain Documentation | Preventive | |
| Include the Recovery Time Objectives in the Business Impact Analysis. CC ID 13222 [Policies and instructions to determine the impact of any malfunction to the cloud service or enterprise are documented, communicated and made available in accordance with SP-01. The following aspects are considered as minimum: Determination of time targets for the resumption of critical products and services within the maximum acceptable time period (RTO); BCM-02 ¶ 1 Bullet 8] | Establish/Maintain Documentation | Preventive | |
| Include pandemic risks in the Business Impact Analysis. CC ID 13219 | Establish/Maintain Documentation | Preventive | |
| Include tolerance to downtime in the Business Impact Analysis report. CC ID 01172 [The risk assessment includes the identification, analysis, evaluation, handling and documentation of risks with regard to the following aspects: Impact of a protection breach on the provision of the cloud service; SSO-02 ¶ 2 Bullet 2] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the Business Impact Analysis to interested personnel and affected parties. CC ID 15300 | Communicate | Preventive | |
| Establish, implement, and maintain a risk register. CC ID 14828 | Establish/Maintain Documentation | Preventive | |
| Review the Business Impact Analysis, as necessary. CC ID 12774 [The business impact analysis, business continuity plans and contingency plans are reviewed, updated and tested on a regular basis (at least annually) or after significant organisational or environmental changes. Tests involve affected customers (tenants) and relevant third parties. The tests are documented and results are taken into account for future operational continuity measures. BCM-04 ¶ 1] | Business Processes | Preventive | |
| Analyze and quantify the risks to in scope systems and information. CC ID 00701 [Policies and instructions for risk management procedures are documented, communicated and provided in accordance with SP-01 for the following aspects: Analysis of the probability and impact of occurrence and determination of the level of risk; OIS-06 ¶ 1 Bullet 2 System components in the Cloud Service Provider's area of responsibility that are used to provide the cloud service, authenticate users of the Cloud Service Provider's internal and external employees as well as system components that are involved in the Cloud Service Provider's automated authorisation processes. Access to the production environment requires two-factor or multi-factor authentication. Within the production environment, user authentication takes place through passwords, digitally signed certificates or procedures that achieve at least an equivalent level of security. If digitally signed certificates are used, administration is carried out in accordance with the Guideline for Key Management (cf. CRY-01). The password requirements are derived from a risk assessment and documented, communicated and provided in a password policy according to SP-01. Compliance with the requirements is enforced by the configuration of the system components, as far as technically possible. IDM-09 ¶ 1 The risk assessment includes the identification, analysis, evaluation, handling and documentation of risks with regard to the following aspects: SSO-02 ¶ 2] | Audits and Risk Management | Preventive | |
| Establish and maintain a Risk Scoping and Measurement Definitions Document. CC ID 00703 [The risk assessment includes the identification, analysis, evaluation, handling and documentation of risks with regard to the following aspects: SSO-02 ¶ 2] | Audits and Risk Management | Preventive | |
| Assess the potential level of business impact risk associated with the loss of personnel. CC ID 17172 | Process or Activity | Detective | |
| Assess the potential level of business impact risk associated with individuals. CC ID 17170 | Process or Activity | Detective | |
| Assess the potential level of business impact risk associated with each business process. CC ID 06463 [Policies and instructions to determine the impact of any malfunction to the cloud service or enterprise are documented, communicated and made available in accordance with SP-01. The following aspects are considered as minimum: BCM-02 ¶ 1] | Audits and Risk Management | Detective | |
| Identify changes to in scope systems that could threaten communication between business units. CC ID 13173 | Investigate | Detective | |
| Assess the potential level of business impact risk associated with non-compliance. CC ID 17169 | Process or Activity | Detective | |
| Assess the potential business impact risk of in scope systems caused by deliberate threats to their confidentiality, integrity, and availability. CC ID 06466 [The risk assessment includes the identification, analysis, evaluation, handling and documentation of risks with regard to the following aspects: Protection needs regarding the confidentiality, integrity, availability and authenticity of information processed, stored or transmitted by the third party; SSO-02 ¶ 2 Bullet 1] | Audits and Risk Management | Detective | |
| Assess the potential level of business impact risk caused by accidental threats to the confidentiality, integrity and availability of critical systems. CC ID 06467 [Policies and instructions to determine the impact of any malfunction to the cloud service or enterprise are documented, communicated and made available in accordance with SP-01. The following aspects are considered as minimum: Identification of critical products and services; BCM-02 ¶ 1 Bullet 2 Policies and instructions to determine the impact of any malfunction to the cloud service or enterprise are documented, communicated and made available in accordance with SP-01. The following aspects are considered as minimum: Capture threats to critical products and services; BCM-02 ¶ 1 Bullet 4] | Audits and Risk Management | Detective | |
| Assess the potential level of business impact risk associated with reputational damage. CC ID 15335 | Audits and Risk Management | Detective | |
| Assess the potential level of business impact risk associated with the natural environment. CC ID 17171 | Process or Activity | Detective | |
| Establish a risk acceptance level that is appropriate to the organization's risk appetite. CC ID 00706 [Policies and instructions for risk management procedures are documented, communicated and provided in accordance with SP-01 for the following aspects: Evaluation of the risk analysis based on defined criteria for risk acceptance and prioritisation of handling; OIS-06 ¶ 1 Bullet 3] | Establish/Maintain Documentation | Preventive | |
| Select the appropriate risk treatment option for each identified risk in the risk register. CC ID 06483 [The risk assessment includes the identification, analysis, evaluation, handling and documentation of risks with regard to the following aspects: SSO-02 ¶ 2] | Establish/Maintain Documentation | Preventive | |
| Approve the risk acceptance level, as necessary. CC ID 17168 | Process or Activity | Preventive | |
| Disseminate and communicate the risk acceptance level in the risk treatment plan to all interested personnel and affected parties. CC ID 06849 [Policies and instructions for risk management procedures are documented, communicated and provided in accordance with SP-01 for the following aspects: Handling of risks through measures, including approval of authorisation and acceptance of residual risks by risk owners; and OIS-06 ¶ 1 Bullet 4] | Behavior | Preventive | |
| Prioritize and select controls based on the risk assessment findings. CC ID 00707 [Policies and instructions for risk management procedures are documented, communicated and provided in accordance with SP-01 for the following aspects: Evaluation of the risk analysis based on defined criteria for risk acceptance and prioritisation of handling; OIS-06 ¶ 1 Bullet 3] | Audits and Risk Management | Preventive | |
| Determine the effectiveness of risk control measures. CC ID 06601 [Identified vulnerabilities and deviations are subject to risk assessment in accordance with the risk management procedure (cf. OIS-06) and follow-up measures are defined and tracked (cf. OPS-18). COS-03 ¶ 3] | Testing | Detective | |
| Establish, implement, and maintain a risk treatment plan. CC ID 11983 [{annual basis} The analysis, evaluation and treatment of risks, including the approval of actions and acceptance of residual risks, is reviewed for adequacy at least annually by the risk owners. OIS-07 ¶ 2 {annual basis} The analysis, evaluation and treatment of risks, including the approval of actions and acceptance of residual risks, is reviewed for adequacy at least annually by the risk owners. OIS-07 ¶ 2 Identified vulnerabilities and deviations are subject to risk assessment in accordance with the risk management procedure (cf. OIS-06) and follow-up measures are defined and tracked (cf. OPS-18). COS-03 ¶ 3] | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the risk treatment plan. CC ID 16991 | Establish/Maintain Documentation | Preventive | |
| Include time information in the risk treatment plan. CC ID 16993 | Establish/Maintain Documentation | Preventive | |
| Include allocation of resources in the risk treatment plan. CC ID 16989 | Establish/Maintain Documentation | Preventive | |
| Include the date of the risk assessment in the risk treatment plan. CC ID 16321 | Establish/Maintain Documentation | Preventive | |
| Include the release status of the risk assessment in the risk treatment plan. CC ID 16320 | Audits and Risk Management | Preventive | |
| Include requirements for monitoring and reporting in the risk treatment plan, as necessary. CC ID 13620 | Establish/Maintain Documentation | Preventive | |
| Document all constraints applied to the risk treatment plan, as necessary. CC ID 13619 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the risk treatment plan to interested personnel and affected parties. CC ID 15694 [Policies and instructions for risk management procedures are documented, communicated and provided in accordance with SP-01 for the following aspects: Handling of risks through measures, including approval of authorisation and acceptance of residual risks by risk owners; and OIS-06 ¶ 1 Bullet 4] | Communicate | Preventive | |
| Document and communicate a corrective action plan based on the risk assessment findings. CC ID 00705 [{confidentiality} {authentication information} Deviations are evaluated by means of a risk analysis and mitigating measures derived from this are implemented. IDM-08 ¶ 2] | Establish/Maintain Documentation | Corrective | |
| Document residual risk in a residual risk report. CC ID 13664 | Establish/Maintain Documentation | Corrective | |
| Review and approve material risks documented in the residual risk report, as necessary. CC ID 13672 [{annual basis} The analysis, evaluation and treatment of risks, including the approval of actions and acceptance of residual risks, is reviewed for adequacy at least annually by the risk owners. OIS-07 ¶ 2] | Business Processes | Preventive | |
| Establish, implement, and maintain a supply chain risk management plan. CC ID 14713 [The Cloud Service Provider executes the process for handling risks as needed or at least once a year. The following aspects are taken into account when identifying risks, insofar as they are applicable to the cloud service provided and are within the area of responsibility of the Cloud Service Provider: Dependencies on subservice organisations. OIS-07 ¶ 1 Bullet 5] | Establish/Maintain Documentation | Preventive | |
| Include processes for monitoring and reporting in the supply chain risk management plan. CC ID 15619 | Establish/Maintain Documentation | Preventive | |
| Include dates in the supply chain risk management plan. CC ID 15617 | Establish/Maintain Documentation | Preventive | |
| Include implementation milestones in the supply chain risk management plan. CC ID 15615 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the supply chain risk management plan. CC ID 15613 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the risk management policy to interested personnel and affected parties. CC ID 13792 [Policies and instructions for risk management procedures are documented, communicated and provided in accordance with SP-01 for the following aspects: OIS-06 ¶ 1 Policies and instructions for risk management procedures are documented, communicated and provided in accordance with SP-01 for the following aspects: Documentation of the activities implemented to enable consistent, valid and comparable results. OIS-06 ¶ 1 Bullet 5] | Communicate | Preventive | |
| Establish, implement, and maintain a disclosure report. CC ID 15521 | Establish/Maintain Documentation | Preventive | |
| Include metrics in the disclosure report. CC ID 15916 | Establish/Maintain Documentation | Preventive | |
| Include operational metrics in the disclosure report. CC ID 15939 | Establish/Maintain Documentation | Preventive | |
| Include incident management metrics in the disclosure report. CC ID 15926 | Establish/Maintain Documentation | Preventive | |
| Include the total user downtime in the disclosure report. CC ID 15635 [The cloud provider provides subject matter experts of cloud customers with comprehensible and transparent information on the availability of the data centres used to provide the cloud service (including data centres operated by subcontractors), as needed. The information shows availability and downtime over one year according to industry standard classification schemes. The information enables cloud customers to assess the cloud service as part of their business impact analysis. BC-04 ¶ 1] | Actionable Reports or Measurements | Preventive | |
Harmonization Methods and Manual of Style | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Harmonization Methods and Manual of Style CC ID 06095 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain organizational documents. CC ID 16202 | Establish/Maintain Documentation | Preventive | |
| Include version control on organizational documents. CC ID 16268 [{information security policy} The policies and instructions are version controlled and approved by the top management of the Cloud Service Provider or an authorised body. SP-01 ¶ 2] | Establish/Maintain Documentation | Preventive | |
Human Resources management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Human Resources management CC ID 00763 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806 | Establish Roles | Preventive | |
| Define and assign the Board of Directors roles and responsibilities and senior management roles and responsibilities, including signing off on key policies and procedures. CC ID 00807 | Establish Roles | Preventive | |
| Assign ownership of risks to the Board of Directors or senior management. CC ID 13662 [Policies and instructions for risk management procedures are documented, communicated and provided in accordance with SP-01 for the following aspects: Identification of risks associated with the loss of confidentiality, integrity, availability and authenticity of information within the scope of the ISMS and assigning risk owners; OIS-06 ¶ 1 Bullet 1] | Human Resources Management | Preventive | |
| Define and assign workforce roles and responsibilities. CC ID 13267 [The Cloud Service Provider informs employees and external business partners of their obligations. If necessary, they agree to or are contractually obliged to report all security events that become known to them and are directly related to the cloud service provided by the Cloud Service Provider to a previously designated central office of the Cloud Service Provider promptly. SIM-04 ¶ 1] | Human Resources Management | Preventive | |
| Establish, implement, and maintain cybersecurity roles and responsibilities. CC ID 13201 | Human Resources Management | Preventive | |
| Document the use of external experts. CC ID 16263 | Human Resources Management | Preventive | |
| Define and assign roles and responsibilities for the biometric system. CC ID 17004 | Human Resources Management | Preventive | |
| Define and assign roles and responsibilities for those involved in risk management. CC ID 13660 | Human Resources Management | Preventive | |
| Include the management structure in the duties and responsibilities for risk management. CC ID 13665 | Human Resources Management | Preventive | |
| Assign the roles and responsibilities for the change control program. CC ID 13118 | Human Resources Management | Preventive | |
| Assign cybersecurity reporting responsibilities to qualified personnel. CC ID 12739 | Establish Roles | Preventive | |
| Assign the role of security leader to keep up to date on the latest threats. CC ID 12112 | Human Resources Management | Preventive | |
| Define and assign the data processor's roles and responsibilities. CC ID 12607 | Human Resources Management | Preventive | |
| Assign the roles and responsibilities for the asset management system. CC ID 14368 | Establish/Maintain Documentation | Preventive | |
| Define and assign the roles and responsibilities of security guards. CC ID 12543 | Human Resources Management | Preventive | |
| Define and assign the roles for Legal Support Workers. CC ID 13711 | Human Resources Management | Preventive | |
| Establish, implement, and maintain a personnel management program. CC ID 14018 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a succession plan for organizational leaders and support personnel. CC ID 11822 [{security requirements} The policies and instructions describe at least the following aspects: Roles and responsibilities, including staff qualification requirements and the establishment of substitution rules; SP-01 ¶ 3 Bullet 3] | Human Resources Management | Preventive | |
| Establish, implement, and maintain onboarding procedures for new hires. CC ID 11760 | Establish/Maintain Documentation | Preventive | |
| Require all new hires to sign Acceptable Use Policies. CC ID 06662 [The Cloud Service Provider's internal and external employees are provably committed to the policies and instructions for acceptable use and safe handling of assets before they can be used if the Cloud Service Provider has determined in a risk assessment that loss or unauthorised access could compromise the information security of the Cloud Service. AM-05 ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a personnel security program. CC ID 10628 | Establish/Maintain Documentation | Preventive | |
| Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782 [The competency and integrity of all internal and external employees of the Cloud Service Provider with access to cloud customer data or system components under the Cloud Service Provider's responsibility who are responsible to provide the cloud service in the production environment shall be verified prior to commencement of employment in accordance with local legislation and regulation by the Cloud Service Provider. HR-01 ¶ 1] | Testing | Detective | |
| Assign personnel screening procedures to qualified personnel. CC ID 11699 | Establish Roles | Preventive | |
| Establish, implement, and maintain personnel screening procedures. CC ID 11700 | Establish/Maintain Documentation | Preventive | |
| Perform a background check during personnel screening. CC ID 11758 [{competency} {integrity} To the extent permitted by law, the review will cover the following areas: Evaluation of the risk to be blackmailed. HR-01 ¶ 2 Bullet 6] | Human Resources Management | Detective | |
| Perform a criminal records check during personnel screening. CC ID 06643 [{competency} {integrity} To the extent permitted by law, the review will cover the following areas: Request of a police clearance certificate for applicants; HR-01 ¶ 2 Bullet 4] | Establish/Maintain Documentation | Preventive | |
| Include all residences in the criminal records check. CC ID 13306 | Process or Activity | Preventive | |
| Document any reasons a full criminal records check could not be performed. CC ID 13305 | Establish/Maintain Documentation | Preventive | |
| Perform a personal references check during personnel screening. CC ID 06645 [{competency} {integrity} To the extent permitted by law, the review will cover the following areas: Certificate of good conduct or national equivalent; and HR-01 ¶ 2 Bullet 5] | Human Resources Management | Preventive | |
| Perform an academic records check during personnel screening. CC ID 06647 [{competency} {integrity} To the extent permitted by law, the review will cover the following areas: Verification of academic titles and degrees; HR-01 ¶ 2 Bullet 3] | Establish/Maintain Documentation | Preventive | |
| Perform a curriculum vitae check during personnel screening. CC ID 06660 [{competency} {integrity} To the extent permitted by law, the review will cover the following areas: Verification of the CV; HR-01 ¶ 2 Bullet 2] | Human Resources Management | Preventive | |
| Disseminate and communicate screening results to interested personnel and affected parties. CC ID 16445 | Communicate | Preventive | |
| Disseminate and communicate personnel screening procedures to interested personnel and affected parties. CC ID 16977 | Communicate | Preventive | |
| Establish, implement, and maintain personnel status change and termination procedures. CC ID 06549 [Ensure that employees understand their responsibilities, are aware of their responsibilities with regard to information security, and that the organisation's assets are protected in the event of changes in responsibilities or termination. Section 5.3 Objective] | Establish/Maintain Documentation | Preventive | |
| Terminate access rights when notified of a personnel status change or an individual is terminated. CC ID 11826 [Access rights are promptly revoked if the job responsibilities of the Cloud Service Provider's internal or external staff or the tasks of system components involved in the Cloud Service Provider's automated authorisation processes change. Privileged access rights are adjusted or revoked within 48 hours after the change taking effect. All other access rights are adjusted or revoked within 14 days. After revocation, the procedure for granting user accounts and access rights (cf. IDM-02) must be repeated. IDM-04 ¶ 1] | Technical Security | Corrective | |
| Assign an owner of the personnel status change and termination procedures. CC ID 11805 | Human Resources Management | Preventive | |
| Notify the security manager, in writing, prior to an employee's job change. CC ID 12283 | Human Resources Management | Preventive | |
| Enforce the information security responsibilities and duties that remain valid after termination or change of employment. CC ID 11992 [{duration} Internal and external employees have been informed about which responsibilities, arising from employment terms and conditions relating to information security, will remain in place when their employment is terminated or changed and for how long. HR-05 ¶ 1] | Human Resources Management | Preventive | |
| Conduct exit interviews upon termination of employment. CC ID 14290 | Human Resources Management | Preventive | |
| Verify completion of each activity in the employee termination checklist when an individual is terminated. CC ID 12449 | Human Resources Management | Detective | |
| Implement segregation of duties in roles and responsibilities. CC ID 00774 [Conflicting tasks and responsibilities are separated based on an OIS-06 risk assessment to reduce the risk of unauthorised or unintended changes or misuse of cloud customer data processed, stored or transmitted in the cloud service. OIS-04 ¶ 1 A role and rights concept based on the business and security requirements of the Cloud Service Provider as well as a policy for managing user accounts and access rights for internal and external employees of the Cloud Service Provider and system components that have a role in automated authorisation processes of the Cloud Service Provider are documented, communicated and made available according to SP-01: Segregation of duties between managing, approving and assigning user accounts and access rights; IDM-01 ¶ 1 Bullet 4] | Testing | Detective | |
| Train all personnel and third parties, as necessary. CC ID 00785 [The Cloud Service Provider operates a target group-oriented security awareness and training program, which is completed by all internal and external employees of the Cloud Service Provider on a regular basis. The program is regularly updated based on changes to policies and instructions and the current threat situation and includes the following aspects: HR-03 ¶ 1] | Behavior | Preventive | |
| Provide new hires limited network access to complete computer-based training. CC ID 17008 | Training | Preventive | |
| Include evidence of experience in applications for professional certification. CC ID 16193 | Establish/Maintain Documentation | Preventive | |
| Include supporting documentation in applications for professional certification. CC ID 16195 | Establish/Maintain Documentation | Preventive | |
| Submit applications for professional certification. CC ID 16192 | Training | Preventive | |
| Hire third parties to conduct training, as necessary. CC ID 13167 | Human Resources Management | Preventive | |
| Establish, implement, and maintain training plans. CC ID 00828 | Establish/Maintain Documentation | Preventive | |
| Approve training plans, as necessary. CC ID 17193 | Training | Preventive | |
| Train personnel to recognize conditions of diseases or sicknesses, as necessary. CC ID 14383 | Training | Detective | |
| Include prevention techniques in training regarding diseases or sicknesses. CC ID 14387 | Training | Preventive | |
| Include the concept of disease clusters when training to recognize conditions of diseases or sicknesses. CC ID 14386 | Training | Preventive | |
| Train personnel to identify and communicate symptoms of exposure to disease or sickness. CC ID 14385 | Training | Detective | |
| Establish, implement, and maintain a list of tasks to include in the training plan. CC ID 17101 | Training | Preventive | |
| Designate training facilities in the training plan. CC ID 16200 | Training | Preventive | |
| Include portions of the visitor control program in the training plan. CC ID 13287 | Establish/Maintain Documentation | Preventive | |
| Include insider threats in the security awareness program. CC ID 16963 | Training | Preventive | |
| Conduct personal data processing training. CC ID 13757 | Training | Preventive | |
| Include in personal data processing training how to provide the contact information for the categories of personal data the organization may disclose. CC ID 13758 | Training | Preventive | |
| Include cloud security in the security awareness program. CC ID 13039 [The Cloud Service Provider operates a target group-oriented security awareness and training program, which is completed by all internal and external employees of the Cloud Service Provider on a regular basis. The program is regularly updated based on changes to policies and instructions and the current threat situation and includes the following aspects: Handling system components used to provide the cloud service in the production environment in accordance with applicable policies and procedures; HR-03 ¶ 1 Bullet 1] | Training | Preventive | |
| Establish, implement, and maintain a security awareness program. CC ID 11746 [{security awareness and training program} {quantitative factor} {qualitative factor} The learning outcomes achieved through the awareness and training programme are measured and evaluated in a target group-oriented manner. The measurements cover quantitative and qualitative aspects. The results are used to improve the awareness and training programme. HR-03 ¶ 2 The Cloud Service Provider operates a target group-oriented security awareness and training program, which is completed by all internal and external employees of the Cloud Service Provider on a regular basis. The program is regularly updated based on changes to policies and instructions and the current threat situation and includes the following aspects: HR-03 ¶ 1 The Cloud Service Provider provides a training program for regular, target group-oriented security training and awareness for internal and external employees on standards and methods of secure software development and provision as well as on how to use the tools used for this purpose. The program is regularly reviewed and updated with regard to the applicable policies and instructions, the assigned roles and responsibilities and the tools used. DEV-04 ¶ 1 Policies and instructions for controlling and monitoring third parties (e.g. service providers or suppliers) whose services contribute to the provision of the cloud service are documented, communicated and provided in accordance with SP-01 with respect to the following aspects: Information security awareness and training requirements for staff; SSO-01 ¶ 1 Bullet 4] | Establish/Maintain Documentation | Preventive | |
| Complete security awareness training prior to being granted access to information systems or data. CC ID 17009 | Training | Preventive | |
| Establish, implement, and maintain a security awareness and training policy. CC ID 14022 | Establish/Maintain Documentation | Preventive | |
| Include compliance requirements in the security awareness and training policy. CC ID 14092 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the security awareness and training policy. CC ID 14091 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain security awareness and training procedures. CC ID 14054 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the security awareness and training procedures to interested personnel and affected parties. CC ID 14138 | Communicate | Preventive | |
| Include management commitment in the security awareness and training policy. CC ID 14049 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the security awareness and training policy. CC ID 14048 [The Cloud Service Provider provides a training program for regular, target group-oriented security training and awareness for internal and external employees on standards and methods of secure software development and provision as well as on how to use the tools used for this purpose. The program is regularly reviewed and updated with regard to the applicable policies and instructions, the assigned roles and responsibilities and the tools used. DEV-04 ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Include the scope in the security awareness and training policy. CC ID 14047 [The Cloud Service Provider provides a training program for regular, target group-oriented security training and awareness for internal and external employees on standards and methods of secure software development and provision as well as on how to use the tools used for this purpose. The program is regularly reviewed and updated with regard to the applicable policies and instructions, the assigned roles and responsibilities and the tools used. DEV-04 ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Include the purpose in the security awareness and training policy. CC ID 14045 | Establish/Maintain Documentation | Preventive | |
| Include configuration management procedures in the security awareness program. CC ID 13967 | Establish/Maintain Documentation | Preventive | |
| Include media protection in the security awareness program. CC ID 16368 | Training | Preventive | |
| Document security awareness requirements. CC ID 12146 | Establish/Maintain Documentation | Preventive | |
| Include identity and access management in the security awareness program. CC ID 17013 | Training | Preventive | |
| Include the encryption process in the security awareness program. CC ID 17014 | Training | Preventive | |
| Include physical security in the security awareness program. CC ID 16369 | Training | Preventive | |
| Include data management in the security awareness program. CC ID 17010 [The Cloud Service Provider operates a target group-oriented security awareness and training program, which is completed by all internal and external employees of the Cloud Service Provider on a regular basis. The program is regularly updated based on changes to policies and instructions and the current threat situation and includes the following aspects: Handling cloud customer data in accordance with applicable policies and instructions and applicable legal and regulatory requirements; HR-03 ¶ 1 Bullet 2] | Training | Preventive | |
| Include e-mail and electronic messaging in the security awareness program. CC ID 17012 | Training | Preventive | |
| Include updates on emerging issues in the security awareness program. CC ID 13184 [The Cloud Service Provider operates a target group-oriented security awareness and training program, which is completed by all internal and external employees of the Cloud Service Provider on a regular basis. The program is regularly updated based on changes to policies and instructions and the current threat situation and includes the following aspects: Information about the current threat situation; and HR-03 ¶ 1 Bullet 3 The Cloud Service Provider operates a target group-oriented security awareness and training program, which is completed by all internal and external employees of the Cloud Service Provider on a regular basis. The program is regularly updated based on changes to policies and instructions and the current threat situation and includes the following aspects: HR-03 ¶ 1] | Training | Preventive | |
| Include cybersecurity in the security awareness program. CC ID 13183 | Training | Preventive | |
| Include implications of non-compliance in the security awareness program. CC ID 16425 | Training | Preventive | |
| Include social networking in the security awareness program. CC ID 17011 | Training | Preventive | |
| Include the acceptable use policy in the security awareness program. CC ID 15487 | Training | Preventive | |
| Include a requirement to train all new hires and interested personnel in the security awareness program. CC ID 11800 | Establish/Maintain Documentation | Preventive | |
| Include remote access in the security awareness program. CC ID 13892 | Establish/Maintain Documentation | Preventive | |
| Document the goals of the security awareness program. CC ID 12145 | Establish/Maintain Documentation | Preventive | |
| Compare current security awareness assessment reports to the security awareness baseline. CC ID 12150 [{security awareness and training program} {quantitative factor} {qualitative factor} The learning outcomes achieved through the awareness and training programme are measured and evaluated in a target group-oriented manner. The measurements cover quantitative and qualitative aspects. The results are used to improve the awareness and training programme. HR-03 ¶ 2] | Establish/Maintain Documentation | Preventive | |
| Establish and maintain a steering committee to guide the security awareness program. CC ID 12149 | Human Resources Management | Preventive | |
| Document the scope of the security awareness program. CC ID 12148 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a security awareness baseline. CC ID 12147 | Establish/Maintain Documentation | Preventive | |
| Encourage interested personnel to obtain security certification. CC ID 11804 | Human Resources Management | Preventive | |
| Train all personnel and third parties on how to recognize and report security incidents. CC ID 01211 [The Cloud Service Provider informs employees and external business partners of their obligations. If necessary, they agree to or are contractually obliged to report all security events that become known to them and are directly related to the cloud service provided by the Cloud Service Provider to a previously designated central office of the Cloud Service Provider promptly. SIM-04 ¶ 1] | Behavior | Preventive | |
| Train all personnel and third parties on how to recognize and report system failures. CC ID 13475 | Training | Preventive | |
| Require personnel to acknowledge, through writing their signature, that they have read and understand the organization's security policies. CC ID 01363 [The information security policy, and the policies and instructions based on it, are to be acknowledged by the internal and external personnel in a documented form before access is granted to any cloud customer data or system components under the responsibility of the Cloud Service Provider used to provide the cloud service in the production environment. HR-02 ¶ 2 Ensure that employees understand their responsibilities, are aware of their responsibilities with regard to information security, and that the organisation's assets are protected in the event of changes in responsibilities or termination. Section 5.3 Objective] | Establish/Maintain Documentation | Preventive | |
| Monitor and measure the effectiveness of security awareness. CC ID 06262 [{security awareness and training program} {quantitative factor} {qualitative factor} The learning outcomes achieved through the awareness and training programme are measured and evaluated in a target group-oriented manner. The measurements cover quantitative and qualitative aspects. The results are used to improve the awareness and training programme. HR-03 ¶ 2] | Monitor and Evaluate Occurrences | Detective | |
| Establish, implement, and maintain an environmental management system awareness program. CC ID 15200 | Establish/Maintain Documentation | Preventive | |
| Conduct secure coding and development training for developers. CC ID 06822 [The Cloud Service Provider provides a training program for regular, target group-oriented security training and awareness for internal and external employees on standards and methods of secure software development and provision as well as on how to use the tools used for this purpose. The program is regularly reviewed and updated with regard to the applicable policies and instructions, the assigned roles and responsibilities and the tools used. DEV-04 ¶ 1] | Behavior | Corrective | |
| Establish, implement, and maintain a conflict of interest policy. CC ID 14785 [The Cloud Service Provider executes the process for handling risks as needed or at least once a year. The following aspects are taken into account when identifying risks, insofar as they are applicable to the cloud service provided and are within the area of responsibility of the Cloud Service Provider: Conflicting tasks and areas of responsibility that cannot be separated for organisational or technical reasons; and OIS-07 ¶ 1 Bullet 4] | Establish/Maintain Documentation | Preventive | |
| Include definitions of conflicts of interest in the conflict of interest policy. CC ID 14792 | Establish/Maintain Documentation | Preventive | |
| Include continuous monitoring for conflicts of interest in the conflict of interest policy. CC ID 17190 | Monitor and Evaluate Occurrences | Preventive | |
| Submit a conflict of interest declaration to interested personnel and affected parties. CC ID 16194 | Communicate | Preventive | |
| Include roles and responsibilities in the conflict of interest policy. CC ID 14790 | Establish/Maintain Documentation | Preventive | |
| Include the information security responsibilities of the organization and the individual in the Terms and Conditions of employment. CC ID 12029 [The Cloud Service Provider's internal and external employees are required by the employment terms and conditions to comply with applicable policies and instructions relating to information security. HR-02 ¶ 1] | Human Resources Management | Preventive | |
| Implement a sanctions process for personnel who fail to comply to the organizational compliance program. CC ID 01442 [In the event of violations of policies and instructions or applicable legal and regulatory requirements, actions are taken in accordance with a defined policy that includes the following aspects: Consideration of the nature and severity of the violation and its impact. HR-04 ¶ 1 Bullet 2 In the event of violations of policies and instructions or applicable legal and regulatory requirements, actions are taken in accordance with a defined policy that includes the following aspects: Consideration of the nature and severity of the violation and its impact. HR-04 ¶ 1 Bullet 2] | Behavior | Corrective | |
Leadership and high level objectives | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Leadership and high level objectives CC ID 00597 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain communication protocols. CC ID 12245 [Communication takes place through standardised communication protocols that ensure the confidentiality and integrity of the transmitted information according to its protection requirements. Communication over untrusted networks is encrypted according to CRY-02. PI-01 ¶ 2] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an alternative communication protocol. CC ID 17097 | Communicate | Preventive | |
| Use secure communication protocols for telecommunications. CC ID 16458 | Business Processes | Preventive | |
| Establish, implement, and maintain a corrective action plan to address barriers to stakeholder engagement. CC ID 15677 | Process or Activity | Preventive | |
| Identify barriers to stakeholder engagement. CC ID 15676 | Process or Activity | Preventive | |
| Identify alternative measures for collecting stakeholder input, as necessary. CC ID 15672 | Communicate | Preventive | |
| Document the findings from surveys. CC ID 16309 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain alert procedures. CC ID 12406 [The environmental parameters are monitored. When the permitted control range is exceeded, alarm messages are generated and forwarded to the Cloud Service Provider's subject matter experts. PS-05 ¶ 2] | Establish/Maintain Documentation | Preventive | |
| Include the criteria for notifications in the notification system. CC ID 17139 | Establish/Maintain Documentation | Preventive | |
| Include the capturing and alerting of account activity in the notification system. CC ID 15314 | Monitor and Evaluate Occurrences | Preventive | |
| Analyze organizational objectives, functions, and activities. CC ID 00598 | Monitor and Evaluate Occurrences | Preventive | |
| Establish, implement, and maintain data governance and management practices. CC ID 14998 | Establish/Maintain Documentation | Preventive | |
| Include data monitoring in the data governance and management practices. CC ID 15303 [The execution of data backups is monitored by technical and organisational measures. Malfunctions are investigated by qualified staff and rectified promptly to ensure compliance with contractual obligations to cloud customers or the Cloud Service Provider's business requirements regarding the scope and frequency of data backup and the duration of storage. OPS-07 ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain sustainable infrastructure planning. CC ID 00603 [The security requirements for data centres are based on criteria which comply with established rules of technology. They are suitable for addressing the following risks in accordance with the applicable legal and contractual requirements: Faults in planning; PS-01 ¶ 2 Bullet 1] | Establish/Maintain Documentation | Preventive | |
| Subscribe to a threat intelligence service to receive notification of emerging threats. CC ID 12135 [{information security organization} If the cloud service is used by public sector organisations in Germany, the Cloud Service Provider leverages contacts with the National IT Situation Centre and the CERT Association of the BSI. OIS-05 ¶ 2 The Cloud Service Provider leverages relevant authorities and interest groups in order to stay informed about current threats and vulnerabilities. The information flows into the procedures for handling risks (cf. OIS-06) and vulnerabilities (cf. OPS-19). OIS-05 ¶ 1] | Technical Security | Detective | |
| Correct errors and deficiencies in a timely manner. CC ID 13501 [Ensure proper and regular operation, including appropriate measures for planning and monitoring capacity, protection against malware, logging and monitoring events, and dealing with vulnerabilities, malfunctions and failures. Section 5.6 Objective The execution of data backups is monitored by technical and organisational measures. Malfunctions are investigated by qualified staff and rectified promptly to ensure compliance with contractual obligations to cloud customers or the Cloud Service Provider's business requirements regarding the scope and frequency of data backup and the duration of storage. OPS-07 ¶ 1 The Cloud Service Provider validates the functionality of the SDN functions before providing new SDN features to cloud users or modifying existing SDN features. Identified defects are assessed and corrected in a risk-oriented manner. PSS-10 ¶ 2] | Business Processes | Corrective | |
| Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 [The Cloud Service Provider operates an information security management system (ISMS) in accordance with ISO/IEC 27001. The scope of the ISMS covers the Cloud Service Provider's organisational units, locations and procedures for providing the cloud service. OIS-01 ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Define the scope of the security policy. CC ID 07145 [The measures for setting up, implementing, maintaining and continuously improving the ISMS are documented. The documentation includes: Scope of the ISMS (Section 4.3 of ISO/IEC 27001); OIS-01 ¶ 2 Bullet 1 {security requirements} The policies and instructions describe at least the following aspects: Scope; SP-01 ¶ 3 Bullet 2] | Data and Information Management | Preventive | |
| Identify roles, tasks, information, systems, and assets that fall under the organization's mandated Authority Documents. CC ID 00688 [Identify the organisation's own assets and ensure an appropriate level of protection throughout their lifecycle. Section 5.4 Objective] | Business Processes | Preventive | |
| Establish, implement, and maintain a policy and procedure management program. CC ID 06285 [Protection of power supply and telecommunications lines against interruption, interference, damage and eavesdropping. The protection is checked regularly, but at least every two years, as well as in case of suspected manipulation by qualified personnel regarding the following aspects: Up-to-datedness of the documentation in the distribution list; PS-06 ¶ 1(d) Bullet 2] | Establish/Maintain Documentation | Preventive | |
| Include contact information in the organization's policies, standards, and procedures. CC ID 17167 | Establish/Maintain Documentation | Preventive | |
| Analyze organizational policies, as necessary. CC ID 14037 | Establish/Maintain Documentation | Detective | |
| Assess the impact of changes to organizational policies, standards, and procedures, as necessary. CC ID 14824 [Policies and instructions to determine the impact of any malfunction to the cloud service or enterprise are documented, communicated and made available in accordance with SP-01. The following aspects are considered as minimum: Identification of effects resulting from planned and unplanned malfunctions and changes over time; BCM-02 ¶ 1 Bullet 5] | Business Processes | Preventive | |
| Establish and maintain an Authority Document list. CC ID 07113 | Establish/Maintain Documentation | Preventive | |
| Document organizational procedures that harmonize external requirements, including all legal requirements. CC ID 00623 [{provision} {data} The design of the aspects is based on legal and regulatory requirements in the environment of the Cloud Service Provider. The Cloud Service Provider identifies the requirements regularly, at least once a year, and checks these for actuality and adjusts the contractual agreements accordingly. PI-02 ¶ 3 {provision} {data} The design of the aspects is based on legal and regulatory requirements in the environment of the Cloud Service Provider. The Cloud Service Provider identifies the requirements regularly, at least once a year, and checks these for actuality and adjusts the contractual agreements accordingly. PI-02 ¶ 3 {applicable requirements} The legal, regulatory, self-imposed and contractual requirements relevant to the information security of the cloud service as well as the Cloud Service Provider's procedures for complying with these requirements are explicitly defined and documented. COM-01 ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Publish, disseminate, and communicate a Statement on Internal Control, as necessary. CC ID 06727 [The measures for setting up, implementing, maintaining and continuously improving the ISMS are documented. The documentation includes: Declaration of applicability (Section 6.1.3), and OIS-01 ¶ 2 Bullet 2] | Establish/Maintain Documentation | Preventive | |
| Include signatures of c-level executives in the Statement on Internal Control. CC ID 14778 | Establish/Maintain Documentation | Preventive | |
| Include management's assertions on the effectiveness of internal control in the Statement on Internal Control. CC ID 14771 [For an attestation engagement, the Cloud Service Provider's service-related system of internal control to meet the C5 criteria shall include the following minimum content in order to provide customers with sufficient transparency about the information security of the cloud service: Information on the general conditions of the cloud service in accordance with the criteria in Section 5 this criteria catalogue, which enable potential customers of the Cloud Service Provider to assess its suitability for their use case; Section 3.4.4.1 ¶ 1 Bullet 3] | Establish/Maintain Documentation | Corrective | |
| Include roles and responsibilities in the Statement on Internal Control. CC ID 14774 | Establish/Maintain Documentation | Preventive | |
| Include limitations of internal control systems in the Statement on Internal Control. CC ID 14773 | Establish/Maintain Documentation | Preventive | |
| Include a description of the methodology used to evaluate internal controls in the Statement on Internal Control. CC ID 14772 | Establish/Maintain Documentation | Preventive | |
| Approve all compliance documents. CC ID 06286 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a compliance exception standard. CC ID 01628 | Establish/Maintain Documentation | Preventive | |
| Include the authority for granting exemptions in the compliance exception standard. CC ID 14329 | Establish/Maintain Documentation | Preventive | |
| Include all compliance exceptions in the compliance exception standard. CC ID 01630 [The Cloud Service Provider has established procedures and technical safeguards to encrypt cloud customers' data during storage. The private keys used for encryption are known only to the cloud customer in accordance with applicable legal and regulatory obligations and requirements. Exceptions follow a specified procedure. The procedures for the use of private keys, including any exceptions, must be contractually agreed with the cloud customer. CRY-03 ¶ 1] | Establish/Maintain Documentation | Detective | |
| Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document. CC ID 01631 [Exceptions to the policies and instructions for information security as well as respective controls go through the OIS-06 risk management process, including approval of these exceptions and acceptance of the associated risks by the risk owners. The approvals of exceptions are documented, limited in time and are reviewed for appropriateness at least annually by the risk owners. SP-03 ¶ 1 Exceptions to the policies and instructions for information security as well as respective controls go through the OIS-06 risk management process, including approval of these exceptions and acceptance of the associated risks by the risk owners. The approvals of exceptions are documented, limited in time and are reviewed for appropriateness at least annually by the risk owners. SP-03 ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Review the compliance exceptions in the exceptions document, as necessary. CC ID 01632 [Exceptions to the policies and instructions for information security as well as respective controls go through the OIS-06 risk management process, including approval of these exceptions and acceptance of the associated risks by the risk owners. The approvals of exceptions are documented, limited in time and are reviewed for appropriateness at least annually by the risk owners. SP-03 ¶ 1 Exceptions to the policies and instructions for information security as well as respective controls go through the OIS-06 risk management process, including approval of these exceptions and acceptance of the associated risks by the risk owners. The approvals of exceptions are documented, limited in time and are reviewed for appropriateness at least annually by the risk owners. SP-03 ¶ 1] | Business Processes | Preventive | |
| Include when exemptions expire in the compliance exception standard. CC ID 14330 | Establish/Maintain Documentation | Preventive | |
| Assign the approval of compliance exceptions to the appropriate roles inside the organization. CC ID 06443 [Exceptions to the policies and instructions for information security as well as respective controls go through the OIS-06 risk management process, including approval of these exceptions and acceptance of the associated risks by the risk owners. The approvals of exceptions are documented, limited in time and are reviewed for appropriateness at least annually by the risk owners. SP-03 ¶ 1] | Establish Roles | Preventive | |
| Include management of the exemption register in the compliance exception standard. CC ID 14328 [Exceptions to the policies and instructions for information security as well as respective controls go through the OIS-06 risk management process, including approval of these exceptions and acceptance of the associated risks by the risk owners. The approvals of exceptions are documented, limited in time and are reviewed for appropriateness at least annually by the risk owners. SP-03 ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate compliance exceptions to interested personnel and affected parties. CC ID 16945 | Communicate | Preventive | |
| Establish, implement, and maintain a public oversight system. CC ID 17284 | Business Processes | Preventive | |
| Establish, implement, and maintain an oversight plan. CC ID 17302 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the oversight plan to interested personnel and affected parties. CC ID 17308 | Communicate | Preventive | |
| Establish, implement, and maintain an oversight team. CC ID 17303 | Process or Activity | Preventive | |
| Include roles and responsibilities in the public oversight system. CC ID 17285 | Establish/Maintain Documentation | Preventive | |
| Define the strategic Information Assurance roles and responsibilities. CC ID 00608 | Establish Roles | Preventive | |
| Establish and maintain a compliance oversight committee. CC ID 00765 | Establish Roles | Detective | |
| Include recommendations for changes or updates to the information security program in the Board Report. CC ID 13180 [{information security policy} The review shall consider at least the following aspects: Organisational and technical changes in the procedures for providing the cloud service; and SP-02 ¶ 2 Bullet 1] | Establish/Maintain Documentation | Preventive | |
| Involve the Board of Directors or senior management in Information Governance. CC ID 00609 [The top management of the Cloud Service Provider is regularly informed about the information security performance within the scope of the ISMS in order to ensure its continued suitability, adequacy and effectiveness. The information is included in the management review of the ISMS at is performed at least once a year. COM-04 ¶ 1] | Establish Roles | Preventive | |
| Establish, implement, and maintain a strategic plan. CC ID 12784 [Provide policies and instructions regarding security requirements and to support business requirements. Section 5.2 Objective] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the strategic plan to all interested personnel and affected parties. CC ID 15592 | Communicate | Preventive | |
| Include the outsource partners in the strategic plan, as necessary. CC ID 13960 | Establish/Maintain Documentation | Preventive | |
| Align the cybersecurity program strategy with the organization's strategic plan. CC ID 14322 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a planning policy. CC ID 14673 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain planning procedures. CC ID 14698 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the planning procedures to interested personnel and affected parties. CC ID 14704 | Communicate | Preventive | |
| Disseminate and communicate the planning policy to interested personnel and affected parties. CC ID 14691 | Communicate | Preventive | |
| Include compliance requirements in the planning policy. CC ID 14688 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the planning policy. CC ID 14687 | Establish/Maintain Documentation | Preventive | |
| Include management commitment in the planning policy. CC ID 14686 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the planning policy. CC ID 14685 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the planning policy. CC ID 14684 | Establish/Maintain Documentation | Preventive | |
| Include the purpose in the planning policy. CC ID 14683 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a security planning policy. CC ID 14027 | Establish/Maintain Documentation | Preventive | |
| Include compliance requirements in the security planning policy. CC ID 14131 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the security planning policy. CC ID 14130 | Establish/Maintain Documentation | Preventive | |
| Include management commitment in the security planning policy. CC ID 14129 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the security planning policy. CC ID 14128 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the security planning policy. CC ID 14127 | Establish/Maintain Documentation | Preventive | |
| Include the purpose in the security planning policy. CC ID 14126 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the security planning policy to interested personnel and affected parties. CC ID 14125 | Communicate | Preventive | |
| Establish, implement, and maintain security planning procedures. CC ID 14060 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the security planning procedures to interested personnel and affected parties. CC ID 14135 | Communicate | Preventive | |
| Align the reporting methodology with the decision management strategy. CC ID 15659 | Business Processes | Preventive | |
| Include an economic impact analysis in the decision management strategy. CC ID 14015 | Establish/Maintain Documentation | Preventive | |
| Include cost benefit analysis in the decision management strategy. CC ID 14014 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the decision management strategy to all interested personnel and affected parties. CC ID 13991 | Communicate | Preventive | |
| Establish, implement, and maintain a tactical plan. CC ID 12785 | Establish/Maintain Documentation | Preventive | |
| Include the references to the organization's Information Technology systems in the Strategic Information Technology Plan, as necessary. CC ID 13959 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain Information Technology project plans. CC ID 16944 | Establish/Maintain Documentation | Preventive | |
| Submit closure reports at the conclusion of each information technology project. CC ID 16948 | Actionable Reports or Measurements | Preventive | |
| Review and approve the closure report. CC ID 16947 | Actionable Reports or Measurements | Preventive | |
Monitoring and measurement | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Monitoring and measurement CC ID 00636 | IT Impact Zone | IT Impact Zone | |
| Monitor the usage and capacity of critical assets. CC ID 14825 | Monitor and Evaluate Occurrences | Detective | |
| Monitor the usage and capacity of Information Technology assets. CC ID 00668 [Ensure proper and regular operation, including appropriate measures for planning and monitoring capacity, protection against malware, logging and monitoring events, and dealing with vulnerabilities, malfunctions and failures. Section 5.6 Objective] | Monitor and Evaluate Occurrences | Detective | |
| Monitor systems for errors and faults. CC ID 04544 [The execution of data backups is monitored by technical and organisational measures. Malfunctions are investigated by qualified staff and rectified promptly to ensure compliance with contractual obligations to cloud customers or the Cloud Service Provider's business requirements regarding the scope and frequency of data backup and the duration of storage. OPS-07 ¶ 1 The Cloud Service Provider validates the functionality of the SDN functions before providing new SDN features to cloud users or modifying existing SDN features. Identified defects are assessed and corrected in a risk-oriented manner. PSS-10 ¶ 2] | Monitor and Evaluate Occurrences | Detective | |
| Report errors and faults to the appropriate personnel, as necessary. CC ID 14296 [Interfaces and dependencies between cloud service delivery activities performed by the Cloud Service Provider and activities performed by third parties are documented and communicated. This includes dealing with the following events: Malfunctions. OIS-03 ¶ 1 Bullet 3 Deviations from the specifications are reported to the responsible personnel or system components so that these can promptly assess the deviations and initiate the necessary actions. OPS-08 ¶ 2 System components in the Cloud Service Provider's area of responsibility are automatically monitored for compliance with hardening specifications. Deviations from the specifications are automatically reported to the appropriate departments of the Cloud Service Provider for immediate assessment and action. OPS-23 ¶ 3 {automate} Identified violations and discrepancies are automatically reported to the responsible personnel or system components of the Cloud Service Provider for prompt assessment and action. SSO-04 ¶ 6 At startup and runtime of virtual machine or container images, an integrity check is performed that detects image manipulations and reports them to the cloud customer. PSS-11 ¶ 2] | Communicate | Corrective | |
| Establish, implement, and maintain Security Control System monitoring and reporting procedures. CC ID 12506 [The Cloud Service Provider creates regular reports on the checks performed, which are reviewed and analysed by authorised bodies or committees. Policies and instructions describe the technical measures taken to securely configure and monitor the management console (both the customer's self-service and the service provider's cloud administration) to protect it from malware. Updates are applied at the highest frequency that the vendor(s) contractually offer(s). OPS-04 ¶ 2] | Establish/Maintain Documentation | Preventive | |
| Include detecting and reporting the failure of a security testing tool in the Security Control System monitoring and reporting procedures. CC ID 15488 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain Responding to Failures in Security Controls procedures. CC ID 12514 | Establish/Maintain Documentation | Preventive | |
| Include resuming security system monitoring and logging operations in the Responding to Failures in Security Controls procedure. CC ID 12521 [The system components for logging and monitoring are designed in such a way that the overall functionality is not restricted if individual components fail. OPS-17 ¶ 2] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain monitoring and logging operations. CC ID 00637 [The Cloud Service Provider monitors the system components for logging and monitoring in its area of responsibility. Failures are automatically and promptly reported to the Cloud Service Provider's responsible departments so that these can assess the failures and take required action. OPS-17 ¶ 1 The requirements for the logging and monitoring of events and for the secure handling of metadata are implemented by technically supported procedures with regard to the following restrictions: OPS-12 ¶ 1] | Log Management | Detective | |
| Establish, implement, and maintain an audit and accountability policy. CC ID 14035 | Establish/Maintain Documentation | Preventive | |
| Include compliance requirements in the audit and accountability policy. CC ID 14103 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the audit and accountability policy. CC ID 14102 | Establish/Maintain Documentation | Preventive | |
| Include the purpose in the audit and accountability policy. CC ID 14100 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the audit and accountability policy. CC ID 14098 | Establish/Maintain Documentation | Preventive | |
| Include management commitment in the audit and accountability policy. CC ID 14097 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the audit and accountability policy. CC ID 14096 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the audit and accountability policy to interested personnel and affected parties. CC ID 14095 | Communicate | Preventive | |
| Establish, implement, and maintain audit and accountability procedures. CC ID 14057 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the audit and accountability procedures to interested personnel and affected parties. CC ID 14137 | Communicate | Preventive | |
| Enable monitoring and logging operations on all assets that meet the organizational criteria to maintain event logs. CC ID 06312 [Ensure proper and regular operation, including appropriate measures for planning and monitoring capacity, protection against malware, logging and monitoring events, and dealing with vulnerabilities, malfunctions and failures. Section 5.6 Objective Depending on the capabilities of the respective service model, the cloud customer can control and monitor the allocation of the system resources assigned to the customer for administration/use in order to avoid overcrowding of resources and to achieve sufficient performance. OPS-03 ¶ 1 {security-related information} The information is detailed enough to allow cloud users to check the following aspects, insofar as they are applicable to the cloud service: Malfunctions during processing of automatic or manual actions; and PSS-04 ¶ 2 Bullet 2 If the cloud customer is responsible for the activation or type and scope of logging, the Cloud Service Provider must provide appropriate logging capabilities. PSS-04 ¶ 4] | Log Management | Preventive | |
| Review and approve the use of continuous security management systems. CC ID 13181 | Process or Activity | Preventive | |
| Monitor and evaluate system telemetry data. CC ID 14929 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain an intrusion detection and prevention program. CC ID 15211 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an intrusion detection and prevention policy. CC ID 15169 | Establish/Maintain Documentation | Preventive | |
| Monitor systems for inappropriate usage and other security violations. CC ID 00585 [If separation cannot be established for organisational or technical reasons, measures are in place to monitor the activities in order to detect unauthorised or unintended changes as well as misuse and to take appropriate actions. OIS-04 ¶ 3 Activities of users with privileged access rights are logged in order to detect any misuse of privileged access in suspicious cases. The logged information is automatically monitored for defined events that may indicate misuse. When such an event is identified, the responsible personnel are automatically informed so that they can promptly assess whether misuse has occurred and take corresponding action. In the event of proven misuse of privileged access rights, disciplinary measures are taken in accordance with HR-04. IDM-06 ¶ 3] | Monitor and Evaluate Occurrences | Detective | |
| Monitor systems for Denial of Service attacks. CC ID 01222 [Based on the results of a risk analysis carried out according to OIS-06, the Cloud Service Provider has implemented technical safeguards which are suitable to promptly detect and respond to network-based attacks on the basis of irregular incoming or outgoing traffic patterns and/ or Distributed Denial of Service (DDoS) attacks. Data from corresponding technical protection measures implemented is fed into a comprehensive SIEM (Security Information and Event Management) system, so that (counter) measures regarding correlating events can be initiated. The safeguards are documented, communicated and provided in accordance with SP-01. COS-01 ¶ 1] | Monitor and Evaluate Occurrences | Detective | |
| Detect unauthorized access to systems. CC ID 06798 [The security measures are designed to detect and prevent unauthorised access so that the information security of the cloud service is not compromised. PS-03 ¶ 2] | Monitor and Evaluate Occurrences | Detective | |
| Prohibit the sale or transfer of a debt caused by identity theft. CC ID 16983 | Acquisition/Sale of Assets or Services | Preventive | |
| Define and assign log management roles and responsibilities. CC ID 06311 [The Cloud Service Provider has established policies and instructions that govern the logging and monitoring of events on system components within its area of responsibility. These policies and instructions are documented, communicated and provided according to SP-01 with respect to the following aspects: Define roles and responsibilities for setting up and monitoring logging; OPS-10 ¶ 1 Bullet 4] | Establish Roles | Preventive | |
| Make logs available for review by the owning entity. CC ID 12046 [The relevant logs or summarised results are available to the cloud customer in a self-service portal for monitoring the data backup. OPS-07 ¶ 2 On request of the cloud customer, the Cloud Service Provider provides the logs relating to the cloud customer in an appropriate form and in a timely manner so that the cloud customer can investigate any incidents relating to them. OPS-15 ¶ 3 Cloud users can retrieve security-related information via documented interfaces which are suitable for further processing this information as part of their Security Information and Event Management (SIEM). PSS-04 ¶ 5] | Log Management | Preventive | |
| Operationalize key monitoring and logging concepts to ensure the audit trails capture sufficient information. CC ID 00638 [{take into account} Logging and monitoring applications take the asset protection needs into account in order to inform the responsible stakeholder of events that could lead to a violation of the protection goals, so that the necessary measures are taken with an appropriate priority. Actions for events on assets with a higher level of protection take precedence over events on assets with a lower need for protection. AM-06 ¶ 3 Logging and monitoring applications take into account the information collected on the assets in order to identify the impact on cloud services and functions in case of events that could lead to a breach of protection objectives, and to support information provided to affected cloud customers in accordance with contractual agreements. AM-01 ¶ 4 Logging and monitoring applications take into account the information collected on the assets in order to identify the impact on cloud services and functions in case of events that could lead to a breach of protection objectives, and to support information provided to affected cloud customers in accordance with contractual agreements. AM-01 ¶ 4 Policies and instructions for planning and conducting audits are documented, communicated and made available in accordance with SP-01 and address the following aspects: Logging and monitoring of activities. COM-02 ¶ 1 Bullet 3] | Log Management | Detective | |
| Establish, implement, and maintain an event logging policy. CC ID 15217 [The Cloud Service Provider has established policies and instructions that govern the logging and monitoring of events on system components within its area of responsibility. These policies and instructions are documented, communicated and provided according to SP-01 with respect to the following aspects: OPS-10 ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain event logging procedures. CC ID 01335 [Ensure proper and regular operation, including appropriate measures for planning and monitoring capacity, protection against malware, logging and monitoring events, and dealing with vulnerabilities, malfunctions and failures. Section 5.6 Objective The Cloud Service Provider has established policies and instructions that govern the logging and monitoring of events on system components within its area of responsibility. These policies and instructions are documented, communicated and provided according to SP-01 with respect to the following aspects: Specifications for activating, stopping and pausing the various logs; OPS-10 ¶ 1 Bullet 2] | Log Management | Detective | |
| Include the system components that generate audit records in the event logging procedures. CC ID 16426 | Data and Information Management | Preventive | |
| Overwrite the oldest records when audit logging fails. CC ID 14308 | Data and Information Management | Preventive | |
| Provide predefined suspicious activity reports for suspicious activity discovered in the event log. CC ID 06774 [Activities of users with privileged access rights are logged in order to detect any misuse of privileged access in suspicious cases. The logged information is automatically monitored for defined events that may indicate misuse. When such an event is identified, the responsible personnel are automatically informed so that they can promptly assess whether misuse has occurred and take corresponding action. In the event of proven misuse of privileged access rights, disciplinary measures are taken in accordance with HR-04. IDM-06 ¶ 3] | Establish/Maintain Documentation | Corrective | |
| Include identity information of suspects in the suspicious activity report. CC ID 16648 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain log analysis tools. CC ID 17056 | Technical Security | Preventive | |
| Review and update event logs and audit logs, as necessary. CC ID 00596 [The logging data is automatically monitored for events that may violate the protection goals in accordance with the logging and monitoring requirements. This also includes the detection of relationships between events (event correlation). OPS-13 ¶ 1 Based on the results of a risk analysis carried out according to OIS-06, the Cloud Service Provider has implemented technical safeguards which are suitable to promptly detect and respond to network-based attacks on the basis of irregular incoming or outgoing traffic patterns and/ or Distributed Denial of Service (DDoS) attacks. Data from corresponding technical protection measures implemented is fed into a comprehensive SIEM (Security Information and Event Management) system, so that (counter) measures regarding correlating events can be initiated. The safeguards are documented, communicated and provided in accordance with SP-01. COS-01 ¶ 1] | Log Management | Detective | |
| Correlate log entries to security controls to verify the security control's effectiveness. CC ID 13207 | Log Management | Detective | |
| Identify cybersecurity events in event logs and audit logs. CC ID 13206 [The logging data is automatically monitored for events that may violate the protection goals in accordance with the logging and monitoring requirements. This also includes the detection of relationships between events (event correlation). OPS-13 ¶ 1] | Technical Security | Detective | |
| Enable logging for all systems that meet a traceability criteria. CC ID 00640 [The Cloud Service Provider grants its cloud customers contractually guaranteed information and audit rights. COM-02 ¶ 2 The type and scope of the information provided will be based on the needs of subject matter experts of the cloud customers who set information security requirements, implement them or verify the implementation (e.g. IT, Compliance, Internal Audit). The information in the guidelines and recommendations for the secure use of the cloud service address the following aspects, where applicable to the cloud service: Error handling and logging mechanisms; PSS-01 ¶ 2 Bullet 3 The cloud service provided is equipped with error handling and logging mechanisms. These enable cloud users to obtain security-related information about the security status of the cloud service as well as the data, services or functions it provides. PSS-04 ¶ 1] | Log Management | Detective | |
| Enable the logging capability to capture enough information to ensure the system is functioning according to its intended purpose throughout its life cycle. CC ID 15001 | Configuration | Preventive | |
| Synchronize system clocks to an accurate and universal time source on all devices. CC ID 01340 [The Cloud Service Provider has established policies and instructions that govern the logging and monitoring of events on system components within its area of responsibility. These policies and instructions are documented, communicated and provided according to SP-01 with respect to the following aspects: Time synchronisation of system components; and OPS-10 ¶ 1 Bullet 5] | Configuration | Preventive | |
| Review and update the list of auditable events in the event logging procedures. CC ID 10097 [{security-related information} The information is detailed enough to allow cloud users to check the following aspects, insofar as they are applicable to the cloud service: Which data, services or functions available to the cloud user within the cloud service, have been accessed by whom and when (Audit Logs); PSS-04 ¶ 2 Bullet 1] | Establish/Maintain Documentation | Preventive | |
| Monitor and evaluate system performance. CC ID 00651 [The procedures for monitoring compliance with the requirements are supplemented by automatic procedures relating to the following aspects: Performance and availability of system components; SSO-04 ¶ 5 Bullet 2] | Monitor and Evaluate Occurrences | Detective | |
| Disseminate and communicate monitoring capabilities with interested personnel and affected parties. CC ID 13156 [The Cloud Service Provider has established policies and instructions that govern the logging and monitoring of events on system components within its area of responsibility. These policies and instructions are documented, communicated and provided according to SP-01 with respect to the following aspects: OPS-10 ¶ 1 The Cloud Service Provider has established policies and instructions that govern the logging and monitoring of events on system components within its area of responsibility. These policies and instructions are documented, communicated and provided according to SP-01 with respect to the following aspects: OPS-10 ¶ 1 The Cloud Service Provider has established policies and instructions that govern the logging and monitoring of events on system components within its area of responsibility. These policies and instructions are documented, communicated and provided according to SP-01 with respect to the following aspects: Information regarding the purpose and retention period of the logs; OPS-10 ¶ 1 Bullet 3 Cloud customers can view compliance with selected contractual requirements in real time. COM-03 ¶ 5] | Communicate | Preventive | |
| Monitor for and react to when suspicious activities are detected. CC ID 00586 [If separation cannot be established for organisational or technical reasons, measures are in place to monitor the activities in order to detect unauthorised or unintended changes as well as misuse and to take appropriate actions. OIS-04 ¶ 3 Based on the results of a risk analysis carried out according to OIS-06, the Cloud Service Provider has implemented technical safeguards which are suitable to promptly detect and respond to network-based attacks on the basis of irregular incoming or outgoing traffic patterns and/ or Distributed Denial of Service (DDoS) attacks. Data from corresponding technical protection measures implemented is fed into a comprehensive SIEM (Security Information and Event Management) system, so that (counter) measures regarding correlating events can be initiated. The safeguards are documented, communicated and provided in accordance with SP-01. COS-01 ¶ 1] | Monitor and Evaluate Occurrences | Detective | |
| Erase payment applications when suspicious activity is confirmed. CC ID 12193 | Technical Security | Corrective | |
| Establish, implement, and maintain network monitoring operations. CC ID 16444 [{risk assess} The entirety of the conception and configuration undertaken to monitor the connections mentioned is assessed in a risk-oriented manner, at least annually, with regard to the resulting security requirements. COS-03 ¶ 2] | Monitor and Evaluate Occurrences | Preventive | |
| Monitor and evaluate the effectiveness of detection tools. CC ID 13505 | Investigate | Detective | |
| Monitor and review retail payment activities, as necessary. CC ID 13541 | Monitor and Evaluate Occurrences | Detective | |
| Determine if high rates of retail payment activities are from Originating Depository Financial Institutions. CC ID 13546 | Investigate | Detective | |
| Review retail payment service reports, as necessary. CC ID 13545 | Investigate | Detective | |
| Establish, implement, and maintain a continuous monitoring program for configuration management. CC ID 06757 [{malware} The configuration of the protection mechanisms is monitored automatically. Deviations from the specifications are automatically reported to the subject matter experts so that the deviations are immediately assessed and the necessary measures taken. OPS-05 ¶ 2 System components in the Cloud Service Provider's area of responsibility are automatically monitored for compliance with hardening specifications. Deviations from the specifications are automatically reported to the appropriate departments of the Cloud Service Provider for immediate assessment and action. OPS-23 ¶ 3 The procedures for monitoring compliance with the requirements are supplemented by automatic procedures relating to the following aspects: Configuration of system components; SSO-04 ¶ 5 Bullet 1 {security-related information} The information is detailed enough to allow cloud users to check the following aspects, insofar as they are applicable to the cloud service: Changes to security-relevant configuration parameters, error handling and logging mechanisms, user authentication, action authorisation, cryptography, and communication security. PSS-04 ¶ 2 Bullet 3] | Establish/Maintain Documentation | Detective | |
| Include the correlation and analysis of information obtained during testing in the continuous monitoring program. CC ID 14250 | Process or Activity | Detective | |
| Implement file integrity monitoring. CC ID 01205 [At startup and runtime of virtual machine or container images, an integrity check is performed that detects image manipulations and reports them to the cloud customer. PSS-11 ¶ 2] | Monitor and Evaluate Occurrences | Detective | |
| Monitor for software configurations updates absent authorization. CC ID 10676 [{malware} The configuration of the protection mechanisms is monitored automatically. Deviations from the specifications are automatically reported to the subject matter experts so that the deviations are immediately assessed and the necessary measures taken. OPS-05 ¶ 2] | Monitor and Evaluate Occurrences | Preventive | |
| Log account usage times. CC ID 07099 | Log Management | Detective | |
| Log account usage durations. CC ID 12117 | Monitor and Evaluate Occurrences | Detective | |
| Report inappropriate usage of user accounts to the appropriate personnel. CC ID 14243 | Communicate | Detective | |
| Create specific test plans to test each system component. CC ID 00661 [Policies and instructions with technical and organisational safeguards for change management of system components of the cloud service within the scope of software deployment are documented, communicated and provided according to SP-01 with regard to the following aspects: Requirements for the performance and documentation of tests; DEV-03 ¶ 1 Bullet 2 Policies and instructions with technical and organisational safeguards for change management of system components of the cloud service within the scope of software deployment are documented, communicated and provided according to SP-01 with regard to the following aspects: Criteria for risk assessment, categorisation and prioritisation of changes and related requirements for the type and scope of testing to be performed, and necessary approvals for the development/implementation of the change and releases for deployment in the production environment by authorised personnel or system components; DEV-03 ¶ 1 Bullet 1] | Establish/Maintain Documentation | Preventive | |
| Include the roles and responsibilities in the test plan. CC ID 14299 | Establish/Maintain Documentation | Preventive | |
| Include the assessment team in the test plan. CC ID 14297 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the test plans. CC ID 14293 | Establish/Maintain Documentation | Preventive | |
| Include the assessment environment in the test plan. CC ID 14271 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a testing program. CC ID 00654 [Policies and instructions with technical and organisational safeguards for change management of system components of the cloud service within the scope of software deployment are documented, communicated and provided according to SP-01 with regard to the following aspects: Requirements for the performance and documentation of tests; DEV-03 ¶ 1 Bullet 2 The business impact analysis, business continuity plans and contingency plans are reviewed, updated and tested on a regular basis (at least annually) or after significant organisational or environmental changes. Tests involve affected customers (tenants) and relevant third parties. The tests are documented and results are taken into account for future operational continuity measures. BCM-04 ¶ 1] | Behavior | Preventive | |
| Conduct Red Team exercises, as necessary. CC ID 12131 | Technical Security | Detective | |
| Establish, implement, and maintain a security assessment and authorization policy. CC ID 14031 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the security assessment and authorization policy. CC ID 14222 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the security assessment and authorization policy. CC ID 14220 | Establish/Maintain Documentation | Preventive | |
| Include the purpose in the security assessment and authorization policy. CC ID 14219 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the security assessment and authorization policy to interested personnel and affected parties. CC ID 14218 | Communicate | Preventive | |
| Include management commitment in the security assessment and authorization policy. CC ID 14189 | Establish/Maintain Documentation | Preventive | |
| Include compliance requirements in the security assessment and authorization policy. CC ID 14183 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the security assessment and authorization policy. CC ID 14179 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain security assessment and authorization procedures. CC ID 14056 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate security assessment and authorization procedures to interested personnel and affected parties. CC ID 14224 | Communicate | Preventive | |
| Employ third parties to carry out testing programs, as necessary. CC ID 13178 | Human Resources Management | Preventive | |
| Enable security controls which were disabled to conduct testing. CC ID 17031 | Testing | Preventive | |
| Document improvement actions based on test results and exercises. CC ID 16840 | Establish/Maintain Documentation | Preventive | |
| Disable dedicated accounts after testing is complete. CC ID 17033 | Testing | Preventive | |
| Protect systems and data during testing in the production environment. CC ID 17198 | Testing | Preventive | |
| Delete personal data upon data subject's withdrawal from testing. CC ID 17238 | Data and Information Management | Preventive | |
| Define the criteria to conduct testing in the production environment. CC ID 17197 | Testing | Preventive | |
| Obtain the data subject's consent to participate in testing in real-world conditions. CC ID 17232 | Behavior | Preventive | |
| Suspend testing in a production environment, as necessary. CC ID 17231 | Testing | Preventive | |
| Test in scope systems for segregation of duties, as necessary. CC ID 13906 [Policies and instructions with technical and organisational safeguards for change management of system components of the cloud service within the scope of software deployment are documented, communicated and provided according to SP-01 with regard to the following aspects: Requirements for segregation of duties during development, testing and release of changes; DEV-03 ¶ 1 Bullet 3] | Testing | Detective | |
| Define the test requirements for each testing program. CC ID 13177 | Establish/Maintain Documentation | Preventive | |
| Include test requirements for the use of production data in the testing program. CC ID 17201 | Testing | Preventive | |
| Include test requirements for the use of human subjects in the testing program. CC ID 16222 | Testing | Preventive | |
| Test the in scope system in accordance with its intended purpose. CC ID 14961 | Testing | Preventive | |
| Perform network testing in accordance with organizational standards. CC ID 16448 | Testing | Preventive | |
| Notify interested personnel and affected parties prior to performing testing. CC ID 17034 | Communicate | Preventive | |
| Test user accounts in accordance with organizational standards. CC ID 16421 | Testing | Preventive | |
| Identify risk management measures when testing in scope systems. CC ID 14960 | Process or Activity | Detective | |
| Include mechanisms for emergency stops in the testing program. CC ID 14398 | Establish/Maintain Documentation | Preventive | |
| Deny network access to rogue devices until network access approval has been received. CC ID 11852 [The security measures are designed to detect and prevent unauthorised access so that the information security of the cloud service is not compromised. PS-03 ¶ 2] | Configuration | Preventive | |
| Establish, implement, and maintain conformity assessment procedures. CC ID 15032 | Establish/Maintain Documentation | Preventive | |
| Share conformity assessment results with affected parties and interested personnel. CC ID 15113 | Communicate | Preventive | |
| Notify affected parties and interested personnel of technical documentation assessment certificates that have been issued. CC ID 15112 | Communicate | Preventive | |
| Notify affected parties and interested personnel of technical documentation assessment certificates that have been refused, withdrawn, suspended or restricted. CC ID 15111 | Communicate | Preventive | |
| Create technical documentation assessment certificates in an official language. CC ID 15110 | Establish/Maintain Documentation | Preventive | |
| Request an extension of the validity period of technical documentation assessment certificates, as necessary. CC ID 17228 | Process or Activity | Preventive | |
| Define the validity period for technical documentation assessment certificates. CC ID 17227 | Process or Activity | Preventive | |
| Opt out of third party conformity assessments when the system meets harmonized standards. CC ID 15096 | Testing | Preventive | |
| Perform conformity assessments, as necessary. CC ID 15095 | Testing | Detective | |
| Establish, implement, and maintain a port scan baseline for all in scope systems. CC ID 12134 | Technical Security | Detective | |
| Define the test frequency for each testing program. CC ID 13176 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a stress test program for identification cards or badges. CC ID 15424 | Establish/Maintain Documentation | Preventive | |
| Assign penetration testing to a qualified internal resource or external third party. CC ID 06429 [The tests are carried out every six months. They must always be performed by independent external auditors. Internal personnel for penetration tests may support the external service providers. OPS-19 ¶ 4 The tests are carried out every six months. They must always be performed by independent external auditors. Internal personnel for penetration tests may support the external service providers. OPS-19 ¶ 4] | Establish Roles | Preventive | |
| Use dedicated user accounts when conducting penetration testing. CC ID 13728 | Testing | Detective | |
| Remove dedicated user accounts after penetration testing is concluded. CC ID 13729 | Testing | Corrective | |
| Perform penetration tests, as necessary. CC ID 00655 [The Cloud Service Provider has penetration tests carried out by qualified internal personnel or external service providers at least once a year. The penetration tests are carried out according to a documented test methodology and include the system components relevant to the provision of the cloud service in the area of responsibility of the Cloud Service Provider, which have been identified as such in a risk analysis. OPS-19 ¶ 1 The Cloud Service Provider has penetration tests carried out by qualified internal personnel or external service providers at least once a year. The penetration tests are carried out according to a documented test methodology and include the system components relevant to the provision of the cloud service in the area of responsibility of the Cloud Service Provider, which have been identified as such in a risk analysis. OPS-19 ¶ 1 The tests are carried out every six months. They must always be performed by independent external auditors. Internal personnel for penetration tests may support the external service providers. OPS-19 ¶ 4] | Testing | Detective | |
| Include coverage of all in scope systems during penetration testing. CC ID 11957 [The Cloud Service Provider has penetration tests carried out by qualified internal personnel or external service providers at least once a year. The penetration tests are carried out according to a documented test methodology and include the system components relevant to the provision of the cloud service in the area of responsibility of the Cloud Service Provider, which have been identified as such in a risk analysis. OPS-19 ¶ 1] | Testing | Detective | |
| Ensure protocols are free from injection flaws. CC ID 16401 | Process or Activity | Preventive | |
| Prevent adversaries from disabling or compromising security controls. CC ID 17057 | Technical Security | Preventive | |
| Establish, implement, and maintain a business line testing strategy. CC ID 13245 | Establish/Maintain Documentation | Preventive | |
| Include facilities in the business line testing strategy. CC ID 13253 | Establish/Maintain Documentation | Preventive | |
| Include electrical systems in the business line testing strategy. CC ID 13251 [Protection of power supply and telecommunications lines against interruption, interference, damage and eavesdropping. The protection is checked regularly, but at least every two years, as well as in case of suspected manipulation by qualified personnel regarding the following aspects: Conformity of the actual wiring and patching with the documentation; PS-06 ¶ 1(d) Bullet 3 {not be needed} {grounding} Protection of power supply and telecommunications lines against interruption, interference, damage and eavesdropping. The protection is checked regularly, but at least every two years, as well as in case of suspected manipulation by qualified personnel regarding the following aspects: The short-circuits and earthing of unneeded cables are intact; and PS-06 ¶ 1(d) Bullet 4 {unauthorized installation} {unauthorized modification} Protection of power supply and telecommunications lines against interruption, interference, damage and eavesdropping. The protection is checked regularly, but at least every two years, as well as in case of suspected manipulation by qualified personnel regarding the following aspects: Impermissible installations and modifications. PS-06 ¶ 1(d) Bullet 5] | Establish/Maintain Documentation | Preventive | |
| Include mechanical systems in the business line testing strategy. CC ID 13250 | Establish/Maintain Documentation | Preventive | |
| Include Heating Ventilation and Air Conditioning systems in the business line testing strategy. CC ID 13248 | Establish/Maintain Documentation | Preventive | |
| Include emergency power supplies in the business line testing strategy. CC ID 13247 | Establish/Maintain Documentation | Preventive | |
| Include environmental controls in the business line testing strategy. CC ID 13246 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a vulnerability management program. CC ID 15721 [{acceptable use policy} Policies and instructions for acceptable use and safe handling of assets are documented, communicated and provided in accordance with SP-01 and address the following aspects of the asset lifecycle as applicable to the asset: dealing with incidents and vulnerabilities; and AM-02 ¶ 1 Bullet 11 The Cloud Service Provider regularly measures, analyses and assesses the procedures with which vulnerabilities and incidents are handled to verify their continued suitability, appropriateness and effectiveness. OPS-20 ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a vulnerability assessment program. CC ID 11636 [Guidelines and instructions with technical and organisational measures are documented, communicated and provided in accordance with SP-01 to ensure the timely identification and addressing of vulnerabilities in the system components used to provide the cloud service. These guidelines and instructions contain specifications regarding the following aspects: Assessment of the severity of identified vulnerabilities; OPS-18 ¶ 1 Bullet 2] | Establish/Maintain Documentation | Preventive | |
| Perform vulnerability scans, as necessary. CC ID 11637 [System components in the area of responsibility of the Cloud Service Provider for the provision of the cloud service are automatically checked for known vulnerabilities at least once a month in accordance with the policies for handling vulnerabilities (cf. OPS-18), the severity is assessed in accordance with defined criteria and measures for timely remediation or mitigation are initiated within defined time windows. OPS-22 ¶ 1] | Technical Security | Detective | |
| Conduct scanning activities in a test environment. CC ID 17036 | Testing | Preventive | |
| Repeat vulnerability scanning, as necessary. CC ID 11646 | Testing | Detective | |
| Identify and document security vulnerabilities. CC ID 11857 [Guidelines and instructions with technical and organisational measures are documented, communicated and provided in accordance with SP-01 to ensure the timely identification and addressing of vulnerabilities in the system components used to provide the cloud service. These guidelines and instructions contain specifications regarding the following aspects: Regular identification of vulnerabilities; OPS-18 ¶ 1 Bullet 1 The type and scope of the information provided will be based on the needs of subject matter experts of the cloud customers who set information security requirements, implement them or verify the implementation (e.g. IT, Compliance, Internal Audit). The information in the guidelines and recommendations for the secure use of the cloud service address the following aspects, where applicable to the cloud service: Information sources on known vulnerabilities and update mechanisms; PSS-01 ¶ 2 Bullet 2 The Cloud Service Provider validates the functionality of the authorisation mechanisms before new functions are made available to cloud users and in the event of changes to the authorisation mechanisms of existing functions (cf. DEV-06). The severity of identified vulnerabilities is assessed according to defined criteria based on industry standard metrics (e.g. Common Vulnerability Scoring System) and measures for timely resolution or mitigation are initiated. Vulnerabilities that have not been fixed are listed in the online register of known vulnerabilities (cf. PSS-02) PSS-09 ¶ 2] | Technical Security | Detective | |
| Rank discovered vulnerabilities. CC ID 11940 [Guidelines and instructions with technical and organisational measures are documented, communicated and provided in accordance with SP-01 to ensure the timely identification and addressing of vulnerabilities in the system components used to provide the cloud service. These guidelines and instructions contain specifications regarding the following aspects: Assessment of the severity of identified vulnerabilities; OPS-18 ¶ 1 Bullet 2] | Investigate | Detective | |
| Use dedicated user accounts when conducting vulnerability scans. CC ID 12098 | Technical Security | Preventive | |
| Assign vulnerability scanning to qualified personnel or external third parties. CC ID 11638 | Technical Security | Detective | |
| Record the vulnerability scanning activity in the vulnerability scan report. CC ID 12097 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the vulnerability scan results to interested personnel and affected parties. CC ID 16418 [{technical measure} Guidelines and instructions with technical and organisational measures are documented, communicated and provided in accordance with SP-01 to ensure the timely identification and addressing of vulnerabilities in the system components used to provide the cloud service. These guidelines and instructions contain specifications regarding the following aspects: OPS-18 ¶ 1 Identified vulnerabilities and deviations are automatically reported to the appropriate Cloud Service Provider's subject matter experts for immediate assessment and action. COM-03 ¶ 4] | Communicate | Preventive | |
| Maintain vulnerability scan reports as organizational records. CC ID 12092 | Records Management | Preventive | |
| Correlate vulnerability scan reports from the various systems. CC ID 10636 | Technical Security | Detective | |
| Perform internal vulnerability scans, as necessary. CC ID 00656 | Testing | Detective | |
| Perform vulnerability scans prior to installing payment applications. CC ID 12192 | Technical Security | Detective | |
| Implement scanning tools, as necessary. CC ID 14282 | Technical Security | Detective | |
| Update the vulnerability scanners' vulnerability list. CC ID 10634 [The Cloud Service Provider operates or refers to a daily updated online register of known vulnerabilities that affect the Cloud Service Provider and assets provided by the Cloud Service Provider that the cloud customers have to install, provide or operate themselves under the customers responsibility PSS-03 ¶ 1 The type and scope of the information provided will be based on the needs of subject matter experts of the cloud customers who set information security requirements, implement them or verify the implementation (e.g. IT, Compliance, Internal Audit). The information in the guidelines and recommendations for the secure use of the cloud service address the following aspects, where applicable to the cloud service: Information sources on known vulnerabilities and update mechanisms; PSS-01 ¶ 2 Bullet 2] | Configuration | Corrective | |
| Repeat vulnerability scanning after an approved change occurs. CC ID 12468 | Technical Security | Detective | |
| Perform external vulnerability scans, as necessary. CC ID 11624 | Technical Security | Detective | |
| Employ an approved third party to perform external vulnerability scans on the organization's systems. CC ID 12467 | Business Processes | Preventive | |
| Meet the requirements for a passing score during an external vulnerability scan or rescan. CC ID 12039 | Testing | Preventive | |
| Use automated mechanisms to compare new vulnerability scan reports with past vulnerability scan reports. CC ID 10635 | Technical Security | Detective | |
| Notify the interested personnel and affected parties after the failure of an automated security test. CC ID 06748 | Behavior | Corrective | |
| Perform vulnerability assessments, as necessary. CC ID 11828 [System components in the area of responsibility of the Cloud Service Provider for the provision of the cloud service are automatically checked for known vulnerabilities at least once a month in accordance with the policies for handling vulnerabilities (cf. OPS-18), the severity is assessed in accordance with defined criteria and measures for timely remediation or mitigation are initiated within defined time windows. OPS-22 ¶ 1 The severity of the errors and vulnerabilities identified in the tests, which are relevant for the deployment decision, is determined according to defined criteria and actions for timely remediation or mitigation are initiated. DEV-06 ¶ 3 Identified vulnerabilities and deviations are subject to risk assessment in accordance with the risk management procedure (cf. OIS-06) and follow-up measures are defined and tracked (cf. OPS-18). COM-03 ¶ 2 The severity of identified vulnerabilities is assessed according to defined criteria and measures are taken to immediately eliminate or mitigate them. PSS-02 ¶ 3 The Cloud Service Provider validates the functionality of the authorisation mechanisms before new functions are made available to cloud users and in the event of changes to the authorisation mechanisms of existing functions (cf. DEV-06). The severity of identified vulnerabilities is assessed according to defined criteria based on industry standard metrics (e.g. Common Vulnerability Scoring System) and measures for timely resolution or mitigation are initiated. Vulnerabilities that have not been fixed are listed in the online register of known vulnerabilities (cf. PSS-02) PSS-09 ¶ 2] | Technical Security | Corrective | |
| Review applications for security vulnerabilities after the application is updated. CC ID 11938 | Technical Security | Detective | |
| Test the system for unvalidated input. CC ID 01318 | Testing | Detective | |
| Test the system for proper error handling. CC ID 01324 | Testing | Detective | |
| Test the system for insecure data storage. CC ID 01325 | Testing | Detective | |
| Test the system for access control enforcement in all Uniform Resource Locators. CC ID 06297 | Testing | Detective | |
| Approve the vulnerability management program. CC ID 15722 | Process or Activity | Preventive | |
| Assign ownership of the vulnerability management program to the appropriate role. CC ID 15723 | Establish Roles | Preventive | |
| Perform penetration tests and vulnerability scans in concert, as necessary. CC ID 12111 [The procedures for identifying such vulnerabilities also include annual code reviews or security penetration tests by qualified external third parties. PSS-02 ¶ 4] | Technical Security | Preventive | |
| Document and maintain test results. CC ID 17028 [The measures for setting up, implementing, maintaining and continuously improving the ISMS are documented. The documentation includes: Results of the last management review (Sec- tion 9.3). OIS-01 ¶ 2 Bullet 3 {assessment} {incident management} {vulnerability management} Results are evaluated at least quarterly by accountable departments at the Cloud Service Provider to initiate continuous improvement actions and to verify their effectiveness. OPS-20 ¶ 2] | Testing | Preventive | |
| Include the pass or fail test status in the test results. CC ID 17106 | Establish/Maintain Documentation | Preventive | |
| Include time information in the test results. CC ID 17105 | Establish/Maintain Documentation | Preventive | |
| Include a description of the system tested in the test results. CC ID 17104 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the test results to interested personnel and affected parties. CC ID 17103 [At the customer's request, the Cloud Service Provider inform the cloud customer of the results of the recovery tests. Recovery tests are embedded in the Cloud Service Provider's emergency management. OPS-08 ¶ 3] | Communicate | Preventive | |
| Recommend mitigation techniques based on vulnerability scan reports. CC ID 11639 [{not been implemented} Guidelines and instructions with technical and organisational measures are documented, communicated and provided in accordance with SP-01 to ensure the timely identification and addressing of vulnerabilities in the system components used to provide the cloud service. These guidelines and instructions contain specifications regarding the following aspects: Handling of system components for which no measures are initiated for the timely remediation or mitigation of vulnerabilities. OPS-18 ¶ 1 Bullet 4 Identified vulnerabilities and deviations are subject to risk assessment in accordance with the risk management procedure (cf. OIS-06) and follow-up measures are defined and tracked (cf. OPS-18). COM-03 ¶ 2 {vulnerabilities} {assets} The online register is easily accessible to any cloud customer. The information contained therein forms a suitable basis for risk assessment and possible follow-up measures on the part of cloud users. PSS-03 ¶ 3] | Technical Security | Corrective | |
| Disallow the use of payment applications when a vulnerability scan report indicates vulnerabilities are present. CC ID 12188 | Configuration | Corrective | |
| Recommend mitigation techniques based on penetration test results. CC ID 04881 [{criticality level} For findings with medium or high criticality regarding the confidentiality, integrity or availability of the cloud service, actions must be taken within defined time windows for prompt remediation or mitigation. OPS-19 ¶ 3 The Cloud Service Provider assess the severity of the findings made in penetration tests according to defined criteria. OPS-19 ¶ 2] | Establish/Maintain Documentation | Corrective | |
| Correct or mitigate vulnerabilities. CC ID 12497 [Ensure proper and regular operation, including appropriate measures for planning and monitoring capacity, protection against malware, logging and monitoring events, and dealing with vulnerabilities, malfunctions and failures. Section 5.6 Objective System components in the area of responsibility of the Cloud Service Provider for the provision of the cloud service are automatically checked for known vulnerabilities at least once a month in accordance with the policies for handling vulnerabilities (cf. OPS-18), the severity is assessed in accordance with defined criteria and measures for timely remediation or mitigation are initiated within defined time windows. OPS-22 ¶ 1 Access rights of internal and external employees of the Cloud Service Provider as well as of system components that play a role in automated authorisation processes of the Cloud Service Provider are reviewed at least once a year to ensure that they still correspond to the actual area of use. The review is carried out by authorised persons from the Cloud Service Provider's organisational units, who can assess the appropriateness of the assigned access rights based on their knowledge of the task areas of the employees or system components. Identified deviations will be dealt with promptly, but no later than 7 days after their detection, by appropriate modification or withdrawal of the access rights. IDM-05 ¶ 1 The severity of the errors and vulnerabilities identified in the tests, which are relevant for the deployment decision, is determined according to defined criteria and actions for timely remediation or mitigation are initiated. DEV-06 ¶ 3 The severity of identified vulnerabilities is assessed according to defined criteria and measures are taken to immediately eliminate or mitigate them. PSS-02 ¶ 3 The Cloud Service Provider validates the functionality of the authorisation mechanisms before new functions are made available to cloud users and in the event of changes to the authorisation mechanisms of existing functions (cf. DEV-06). The severity of identified vulnerabilities is assessed according to defined criteria based on industry standard metrics (e.g. Common Vulnerability Scoring System) and measures for timely resolution or mitigation are initiated. Vulnerabilities that have not been fixed are listed in the online register of known vulnerabilities (cf. PSS-02) PSS-09 ¶ 2] | Technical Security | Corrective | |
| Establish, implement, and maintain an exception management process for vulnerabilities that cannot be remediated. CC ID 13859 | Technical Security | Corrective | |
| Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a metrics policy. CC ID 01654 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653 | Establish/Maintain Documentation | Preventive | |
| Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726 [The appropriate and effective verification of implementation is carried out in accordance with the criteria for controlling and monitoring subcontractors (cf. SSO-01, SSO-02). PS-01 ¶ 4 The Cloud Service Provider monitors compliance with information security requirements and applicable legal and regulatory requirements in accordance with policies and instructions concerning controlling and monitoring of third-parties. SSO-04 ¶ 1] | Monitor and Evaluate Occurrences | Detective | |
| Identify and document instances of non-compliance with the compliance framework. CC ID 06499 [In the event of violations of policies and instructions or applicable legal and regulatory requirements, actions are taken in accordance with a defined policy that includes the following aspects: Verifying whether a violation has occurred; and HR-04 ¶ 1 Bullet 1] | Establish/Maintain Documentation | Preventive | |
| Correct compliance violations. CC ID 13515 | Process or Activity | Corrective | |
| Carry out disciplinary actions when a compliance violation is detected. CC ID 06675 [In the event of violations of policies and instructions or applicable legal and regulatory requirements, actions are taken in accordance with a defined policy that includes the following aspects: HR-04 ¶ 1 Activities of users with privileged access rights are logged in order to detect any misuse of privileged access in suspicious cases. The logged information is automatically monitored for defined events that may indicate misuse. When such an event is identified, the responsible personnel are automatically informed so that they can promptly assess whether misuse has occurred and take corresponding action. In the event of proven misuse of privileged access rights, disciplinary measures are taken in accordance with HR-04. IDM-06 ¶ 3] | Behavior | Corrective | |
| Establish, implement, and maintain disciplinary action notices. CC ID 16577 [The use of disciplinary measures is appropriately documented. HR-04 ¶ 3] | Establish/Maintain Documentation | Preventive | |
| Include a copy of the order in the disciplinary action notice. CC ID 16606 | Establish/Maintain Documentation | Preventive | |
| Include the sanctions imposed in the disciplinary action notice. CC ID 16599 | Establish/Maintain Documentation | Preventive | |
| Include the effective date of the sanctions in the disciplinary action notice. CC ID 16589 | Establish/Maintain Documentation | Preventive | |
| Include the requirements that were violated in the disciplinary action notice. CC ID 16588 | Establish/Maintain Documentation | Preventive | |
| Include responses to charges from interested personnel and affected parties in the disciplinary action notice. CC ID 16587 | Establish/Maintain Documentation | Preventive | |
| Include the reasons for imposing sanctions in the disciplinary action notice. CC ID 16586 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the disciplinary action notice to interested personnel and affected parties. CC ID 16585 [The internal and external employees of the Cloud Service Provider are informed about possible disciplinary measures. HR-04 ¶ 2] | Communicate | Preventive | |
| Include required information in the disciplinary action notice. CC ID 16584 | Establish/Maintain Documentation | Preventive | |
| Include a justification for actions taken in the disciplinary action notice. CC ID 16583 | Establish/Maintain Documentation | Preventive | |
| Include a statement on the conclusions of the investigation in the disciplinary action notice. CC ID 16582 | Establish/Maintain Documentation | Preventive | |
| Include the investigation results in the disciplinary action notice. CC ID 16581 | Establish/Maintain Documentation | Preventive | |
| Include a description of the causes of the actions taken in the disciplinary action notice. CC ID 16580 | Establish/Maintain Documentation | Preventive | |
| Include the name of the person responsible for the charges in the disciplinary action notice. CC ID 16579 | Establish/Maintain Documentation | Preventive | |
| Include contact information in the disciplinary action notice. CC ID 16578 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a log management program. CC ID 00673 | Establish/Maintain Documentation | Preventive | |
| Restrict access to logs to authorized individuals. CC ID 01342 [The requirements for the logging and monitoring of events and for the secure handling of metadata are implemented by technically supported procedures with regard to the following restrictions: Access only for authorised users and systems; OPS-12 ¶ 1 Bullet 1] | Log Management | Preventive | |
| Refrain from recording unnecessary restricted data in logs. CC ID 06318 [Personal data is automatically removed from the log data before the Cloud Service Provider processes it as far as technically possible. The removal is done in a way that allows the Cloud Service Provider to continue to use the log data for the purpose for which it was collected. OPS-11 ¶ 2 {be specific} {logical separation} The Cloud Service Provider provides a customer-specific logging (in terms of scope and duration of retention period) upon request of the Cloud Customer. Depending on the protection requirements of the Cloud Service Provider and the technical feasibility, a logical or physical separation of log and customer data is carried out. OPS-14 ¶ 3] | Log Management | Preventive | |
| Protect logs from unauthorized activity. CC ID 01345 [The logged information is protected from unauthorised access and modification and can be deleted by the Cloud Customer. PSS-04 ¶ 3] | Log Management | Preventive | |
Operational and Systems Continuity | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Operational and Systems Continuity CC ID 00731 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a business continuity program. CC ID 13210 [Based on the business impact analysis, a single framework for operational continuity and business plan planning will be implemented, documented and enforced to ensure that all plans are consistent. Planning is based on established standards, which are documented in a "Statement of Applicability". BCM-03 ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Involve auditors in reviewing and testing the business continuity program. CC ID 13211 | Testing | Detective | |
| Evaluate the effectiveness of auditors reviewing and testing the business continuity program. CC ID 13212 | Investigate | Detective | |
| Evaluate the effectiveness of auditors reviewing and testing business continuity capabilities. CC ID 13218 | Investigate | Detective | |
| Establish, implement, and maintain a business continuity policy. CC ID 12405 | Establish/Maintain Documentation | Preventive | |
| Include escalation procedures in the business continuity policy. CC ID 17203 | Systems Continuity | Preventive | |
| Include compliance requirements in the business continuity policy. CC ID 14237 [The top management (or a member of the top management) of the Cloud Service Provider is named as the process owner of business continuity and emergency management and is responsible for establishing the process within the company as well as ensuring compliance with the guidelines. They must ensure that sufficient resources are made available for an effective process. BCM-01 ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the business continuity policy. CC ID 14235 | Establish/Maintain Documentation | Preventive | |
| Include management commitment in the business continuity policy. CC ID 14233 [People in management and other relevant leadership positions demonstrate leadership and commitment to this issue by encouraging employees to actively contribute to the effectiveness of continuity and emergency management. BCM-01 ¶ 2] | Establish/Maintain Documentation | Preventive | |
| Include the scope in the business continuity policy. CC ID 14231 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the business continuity policy. CC ID 14190 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the business continuity policy to interested personnel and affected parties. CC ID 14198 | Communicate | Preventive | |
| Include the purpose in the business continuity policy. CC ID 14188 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a business continuity testing policy. CC ID 13235 | Establish/Maintain Documentation | Preventive | |
| Include testing cycles and test scope in the business continuity testing policy. CC ID 13236 | Establish/Maintain Documentation | Preventive | |
| Include documentation requirements in the business continuity testing policy. CC ID 14377 | Establish/Maintain Documentation | Preventive | |
| Include reporting requirements in the business continuity testing policy. CC ID 14397 | Establish/Maintain Documentation | Preventive | |
| Include test requirements for crisis management in the business continuity testing policy. CC ID 13240 | Establish/Maintain Documentation | Preventive | |
| Include test requirements for support functions in the business continuity testing policy. CC ID 13239 | Establish/Maintain Documentation | Preventive | |
| Include test requirements for business lines, as necessary, in the business continuity testing policy. CC ID 13238 | Establish/Maintain Documentation | Preventive | |
| Include test requirements for the business continuity function in the business continuity testing policy. CC ID 13237 | Establish/Maintain Documentation | Preventive | |
| Address all documentation requirements of the Business Continuity Plan testing program in the business continuity testing strategy. CC ID 13257 | Establish/Maintain Documentation | Preventive | |
| Include data recovery in the business continuity testing strategy. CC ID 13262 | Establish/Maintain Documentation | Preventive | |
| Include testing critical applications in the business continuity testing strategy. CC ID 13261 | Establish/Maintain Documentation | Preventive | |
| Include testing peak transaction volumes from alternate facilities in the business continuity testing strategy. CC ID 13265 | Testing | Detective | |
| Include reconciling transaction data in the business continuity testing strategy. CC ID 13260 | Establish/Maintain Documentation | Preventive | |
| Include addressing telecommunications circuit diversity in the business continuity testing strategy. CC ID 13252 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain the scope of the continuity framework. CC ID 11908 [{take into account} Business continuity plans and contingency plans take the following aspects into account: Defined purpose and scope with consideration of the relevant dependencies; BCM-03 ¶ 2 Bullet 1] | Establish/Maintain Documentation | Preventive | |
| Identify all stakeholders critical to the continuity of operations. CC ID 12741 | Systems Continuity | Detective | |
| Include network security in the scope of the continuity framework. CC ID 16327 | Establish/Maintain Documentation | Preventive | |
| Refrain from including exclusions that could affect business continuity. CC ID 12740 | Records Management | Preventive | |
| Include business functions in the scope of the continuity framework. CC ID 12699 | Establish/Maintain Documentation | Preventive | |
| Include affected party’s needs and interests in the scope of the continuity framework. CC ID 12698 | Systems Continuity | Preventive | |
| Establish, implement, and maintain a shelter in place plan. CC ID 16260 | Establish/Maintain Documentation | Preventive | |
| Designate safe rooms in the shelter in place plan. CC ID 16276 | Establish/Maintain Documentation | Preventive | |
| Define the executive vision of the continuity planning process. CC ID 01243 [Based on the business impact analysis, a single framework for operational continuity and business plan planning will be implemented, documented and enforced to ensure that all plans are consistent. Planning is based on established standards, which are documented in a "Statement of Applicability". BCM-03 ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain continuity roles and responsibilities. CC ID 00733 [The top management (or a member of the top management) of the Cloud Service Provider is named as the process owner of business continuity and emergency management and is responsible for establishing the process within the company as well as ensuring compliance with the guidelines. They must ensure that sufficient resources are made available for an effective process. BCM-01 ¶ 1 Exit strategies are aligned with operational continuity plans and include the following aspects: Definition and allocation of roles, responsibilities and sufficient resources to perform the activities for a transition; SSO-05 ¶ 2 Bullet 2 {take into account} Business continuity plans and contingency plans take the following aspects into account: Ownership by at least one designated person responsible for review, updating and approval; BCM-03 ¶ 2 Bullet 3] | Establish Roles | Preventive | |
| Coordinate continuity planning with other business units responsible for related plans. CC ID 01386 [The Cloud Service Provider defines guidelines for the classification, prioritisation and escalation of security incidents and creates interfaces to the incident management and business continuity management. SIM-01 ¶ 2 {take into account} Business continuity plans and contingency plans take the following aspects into account: Interfaces to Security Incident Management. BCM-03 ¶ 2 Bullet 8] | Systems Continuity | Preventive | |
| Disseminate and communicate information regarding disaster relief resources to interested personnel and affected parties. CC ID 16573 | Communicate | Preventive | |
| Evaluate all possible continuity risks and impacts as a part of the continuity framework. CC ID 06374 [Exit strategies are aligned with operational continuity plans and include the following aspects: Analysis of the potential costs, impacts, resources and timing of the transition of a purchased service to an alternative service provider or supplier; SSO-05 ¶ 2 Bullet 1] | Systems Continuity | Detective | |
| Establish, implement, and maintain a continuity plan. CC ID 00752 [{take into account} {come into effect} Business continuity plans and contingency plans take the following aspects into account: Methods for putting the plans into effect; BCM-03 ¶ 2 Bullet 6 {take into account} Business continuity plans and contingency plans take the following aspects into account: Continuous process improvement; and BCM-03 ¶ 2 Bullet 7 {take into account} {manual mechanism} Business continuity plans and contingency plans take the following aspects into account: Recovery procedures, manual interim solutions and reference information (taking into account prioritisation in the recovery of cloud infrastructure components and services and alignment with customers); BCM-03 ¶ 2 Bullet 5 The business impact analysis, business continuity plans and contingency plans are reviewed, updated and tested on a regular basis (at least annually) or after significant organisational or environmental changes. Tests involve affected customers (tenants) and relevant third parties. The tests are documented and results are taken into account for future operational continuity measures. BCM-04 ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Identify all stakeholders in the continuity plan. CC ID 13256 | Establish/Maintain Documentation | Preventive | |
| Notify interested personnel and affected parties upon activation of the continuity plan. CC ID 16777 | Communicate | Preventive | |
| Lead or manage business continuity and system continuity, as necessary. CC ID 12240 | Human Resources Management | Preventive | |
| Include a business continuity testing policy in the continuity plan, as necessary. CC ID 13234 | Establish/Maintain Documentation | Preventive | |
| Allocate financial resources to implement the continuity plan, as necessary. CC ID 12993 [Policies and instructions to determine the impact of any malfunction to the cloud service or enterprise are documented, communicated and made available in accordance with SP-01. The following aspects are considered as minimum: Estimation of the resources needed for resumption. BCM-02 ¶ 1 Bullet 10 The top management (or a member of the top management) of the Cloud Service Provider is named as the process owner of business continuity and emergency management and is responsible for establishing the process within the company as well as ensuring compliance with the guidelines. They must ensure that sufficient resources are made available for an effective process. BCM-01 ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Allocate personnel to implement the continuity plan, as necessary. CC ID 12992 | Human Resources Management | Preventive | |
| Include the in scope system's location in the continuity plan. CC ID 16246 | Systems Continuity | Preventive | |
| Include the system description in the continuity plan. CC ID 16241 | Systems Continuity | Preventive | |
| Establish, implement, and maintain redundant systems. CC ID 16354 | Configuration | Preventive | |
| Include identification procedures in the continuity plan, as necessary. CC ID 14372 | Establish/Maintain Documentation | Preventive | |
| Restore systems and environments to be operational. CC ID 13476 [Policies and instructions for data backup and recovery are documented, communicated and provided in accordance with SP-01 regarding the following aspects. Access to the backed-up data and the execution of restores is performed only by authorised persons; and OPS-06 ¶ 1 Bullet 3] | Systems Continuity | Corrective | |
| Include tolerance levels in the continuity plan. CC ID 17305 | Systems Continuity | Preventive | |
| Include roles and responsibilities in the continuity plan, as necessary. CC ID 13254 [{take into account} Business continuity plans and contingency plans take the following aspects into account: Defined communication channels, roles and responsibilities including notification of the customer; BCM-03 ¶ 2 Bullet 4] | Establish/Maintain Documentation | Preventive | |
| Coordinate continuity planning with governmental entities, as necessary. CC ID 13258 | Process or Activity | Preventive | |
| Coordinate continuity planning with community organizations, as necessary. CC ID 13259 | Process or Activity | Preventive | |
| Coordinate and incorporate supply chain members' continuity plans, as necessary. CC ID 13242 | Establish/Maintain Documentation | Preventive | |
| Include incident management procedures in the continuity plan. CC ID 13244 | Establish/Maintain Documentation | Preventive | |
| Include the use of virtual meeting tools in the continuity plan. CC ID 14390 | Establish/Maintain Documentation | Preventive | |
| Include the roles and responsibilities of the organization's legal counsel in the continuity plan. CC ID 16233 | Establish Roles | Preventive | |
| Establish, implement, and maintain the continuity procedures. CC ID 14236 [Plan, implement, maintain and test procedures and measures for business continuity and emergency management. Section 5.14 Objective The top management (or a member of the top management) of the Cloud Service Provider is named as the process owner of business continuity and emergency management and is responsible for establishing the process within the company as well as ensuring compliance with the guidelines. They must ensure that sufficient resources are made available for an effective process. BCM-01 ¶ 1 {take into account} {manual mechanism} Business continuity plans and contingency plans take the following aspects into account: Recovery procedures, manual interim solutions and reference information (taking into account prioritisation in the recovery of cloud infrastructure components and services and alignment with customers); BCM-03 ¶ 2 Bullet 5] | Establish/Maintain Documentation | Corrective | |
| Disseminate and communicate the continuity procedures to interested personnel and affected parties. CC ID 14055 | Communicate | Preventive | |
| Document the uninterrupted power requirements for all in scope systems. CC ID 06707 [{power supply facility} {emergency power solution} Measures to prevent the failure of the technical supply facilities required for the operation of system components with which information from cloud customers is processed, are documented and set up in accordance with the security requirements of the Cloud Service Provider (cf. PS-01 Security Concept) with respect to the following aspects: Use of appropriately sized uninterruptible power supplies (UPS) and emergency power systems (NEA), designed to ensure that all data remains undamaged in the event of a power failure. The functionality of UPS and NEA is checked at least annually by suitable tests and exercises (cf. BCM-04 – Verification, updating and testing of business continuity). PS-06 ¶ 1(b)] | Establish/Maintain Documentation | Preventive | |
| Install an Uninterruptible Power Supply sized to support all critical systems. CC ID 00725 [The security requirements for data centres are based on criteria which comply with established rules of technology. They are suitable for addressing the following risks in accordance with the applicable legal and contractual requirements: Power failure; and PS-01 ¶ 2 Bullet 7] | Configuration | Preventive | |
| Install a generator sized to support the facility. CC ID 06709 | Configuration | Preventive | |
| Establish, implement, and maintain a fuel supply large enough to support the generators during an emergency. CC ID 06376 | Acquisition/Sale of Assets or Services | Preventive | |
| Include notifications to alternate facilities in the continuity plan. CC ID 13220 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a recovery plan. CC ID 13288 | Establish/Maintain Documentation | Preventive | |
| Include procedures to restore system interconnections in the recovery plan. CC ID 17100 | Establish/Maintain Documentation | Preventive | |
| Include procedures to restore network connectivity in the recovery plan. CC ID 16250 | Establish/Maintain Documentation | Preventive | |
| Include addressing backup failures in the recovery plan. CC ID 13298 | Establish/Maintain Documentation | Preventive | |
| Include voltage and frequency requirements in the recovery plan. CC ID 17098 | Establish/Maintain Documentation | Preventive | |
| Include procedures to verify completion of the data backup procedure in the recovery plan. CC ID 13297 | Establish/Maintain Documentation | Preventive | |
| Include the roles and responsibilities of responders in the recovery plan. CC ID 13296 | Human Resources Management | Preventive | |
| Include the procedures for the storage of information necessary to recover functionality in the recovery plan. CC ID 13295 | Establish/Maintain Documentation | Preventive | |
| Include the backup procedures for information necessary to recover functionality in the recovery plan. CC ID 13294 | Establish/Maintain Documentation | Preventive | |
| Include the criteria for activation in the recovery plan. CC ID 13293 [The Cloud Service Provider provides subject matter experts of the cloud customers with comprehensible and transparent information on the following recovery parameters of the cloud service, if required: Recovery time to start emergency operation BC-03 ¶ 1 Bullet 3] | Establish/Maintain Documentation | Preventive | |
| Include escalation procedures in the recovery plan. CC ID 16248 | Establish/Maintain Documentation | Preventive | |
| Include procedures to preserve data before beginning the recovery process in the recovery plan. CC ID 13292 | Establish/Maintain Documentation | Preventive | |
| Determine the cause for the activation of the recovery plan. CC ID 13291 | Investigate | Detective | |
| Test the recovery plan, as necessary. CC ID 13290 [Restore procedures are tested regularly, at least annually. The tests allow an assessment to be made as to whether the contractual agreements as well as the specifications for the maximum tolerable downtime (Recovery Time Objective, RTO) and the maximum permissible data loss (Recovery Point Objective, RPO) are adhered to (cf. BCM-02). OPS-08 ¶ 1] | Testing | Detective | |
| Test the backup information, as necessary. CC ID 13303 | Testing | Detective | |
| Document lessons learned from testing the recovery plan or an actual event. CC ID 13301 [Policies and instructions for data backup and recovery are documented, communicated and provided in accordance with SP-01 regarding the following aspects. Tests of recovery procedures (cf. OPS-08). OPS-06 ¶ 1 Bullet 4] | Establish/Maintain Documentation | Detective | |
| Disseminate and communicate the recovery plan to interested personnel and affected parties. CC ID 14859 [{data recovery} Policies and instructions for data backup and recovery are documented, communicated and provided in accordance with SP-01 regarding the following aspects. OPS-06 ¶ 1] | Communicate | Preventive | |
| Include restoration procedures in the continuity plan. CC ID 01169 [Policies and instructions to determine the impact of any malfunction to the cloud service or enterprise are documented, communicated and made available in accordance with SP-01. The following aspects are considered as minimum: Identification of restoration priorities; BCM-02 ¶ 1 Bullet 7] | Establish Roles | Preventive | |
| Include the recovery plan in the continuity plan. CC ID 01377 [{take into account} {manual mechanism} Business continuity plans and contingency plans take the following aspects into account: Recovery procedures, manual interim solutions and reference information (taking into account prioritisation in the recovery of cloud infrastructure components and services and alignment with customers); BCM-03 ¶ 2 Bullet 5] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate business functions across multiple facilities separated by geographic separation. CC ID 10662 | Systems Continuity | Preventive | |
| Disseminate and communicate continuity requirements to interested personnel and affected parties. CC ID 17045 | Communicate | Preventive | |
| Establish, implement, and maintain organizational facility continuity plans. CC ID 02224 | Establish/Maintain Documentation | Preventive | |
| Identify and document critical facilities. CC ID 17304 | Systems Continuity | Preventive | |
| Identify telecommunication facilities critical to the continuity of operations. CC ID 12732 | Systems Continuity | Detective | |
| Install and maintain redundant power supplies for critical facilities. CC ID 06355 [{power supply facility} Measures to prevent the failure of the technical supply facilities required for the operation of system components with which information from cloud customers is processed, are documented and set up in accordance with the security requirements of the Cloud Service Provider (cf. PS-01 Security Concept) with respect to the following aspects: PS-06 ¶ 1 {power supply} Measures to prevent the failure of the technical supply facilities required for the operation of system components with which information from cloud customers is processed, are documented and set up in accordance with the security requirements of the Cloud Service Provider (cf. PS-01 Security Concept) with respect to the following aspects: Operational redundancy (N+1) in power and cooling supply PS-06 ¶ 1(a) Uninterruptible Power Supplies (UPS) and Emergency Power Supplies (NPS) are designed to meet the availability requirements defined in the Service Level Agreement. PS-06 ¶ 2] | Configuration | Preventive | |
| Install and maintain Emergency Power Supply shutdown devices or Emergency Power Supply shutdown switches. CC ID 01439 | Physical and Environmental Protection | Preventive | |
| Install and maintain dedicated power lines to critical facilities. CC ID 06357 | Physical and Environmental Protection | Preventive | |
| Run primary power lines and secondary power lines via diverse path feeds to organizational facilities, as necessary. CC ID 06696 | Configuration | Preventive | |
| Install electro-magnetic shielding around all electrical cabling. CC ID 06358 | Physical and Environmental Protection | Preventive | |
| Install electrical grounding equipment. CC ID 06359 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain system continuity plan strategies. CC ID 00735 [Prevent unauthorised physical access and protect against theft, damage, loss and outage of operations. Section 5.5 Objective] | Establish/Maintain Documentation | Preventive | |
| Include emergency operating procedures in the continuity plan. CC ID 11694 | Establish/Maintain Documentation | Preventive | |
| Include load-shedding in the emergency operating procedures. CC ID 17133 | Establish/Maintain Documentation | Preventive | |
| Include redispatch of generation requests in the emergency operating procedures. CC ID 17132 | Establish/Maintain Documentation | Preventive | |
| Include transmission system reconfiguration in the emergency operating procedures. CC ID 17130 | Establish/Maintain Documentation | Preventive | |
| Include outages in the emergency operating procedures. CC ID 17129 [{exceptional circumstance} {maximum tolerable downtime} The security requirements include time constraints for self-sufficient operation in the event of exceptional events (e.g. prolonged power outage, heat waves, low water in cold river water supply) and maximum tolerable utility downtime. PS-01 ¶ 5] | Establish/Maintain Documentation | Preventive | |
| Include energy resource management in the emergency operating procedures. CC ID 17128 | Establish/Maintain Documentation | Preventive | |
| Document the mean time to failure for system components. CC ID 10684 [The time limits for self-sufficient operation provide for at least 48 hours in the event of a failure of the external power supply. PS-01 ¶ 6 {exceptional circumstance} {maximum tolerable downtime} The security requirements include time constraints for self-sufficient operation in the event of exceptional events (e.g. prolonged power outage, heat waves, low water in cold river water supply) and maximum tolerable utility downtime. PS-01 ¶ 5] | Systems Continuity | Preventive | |
| Establish, implement, and maintain Recovery Time Objectives for all in scope services. CC ID 12241 [In contractual agreements (e.g. service description), the Cloud Service Provider provides comprehensible, binding and transparent information on: Recovery time (time elapsed until the incident has been resolved); and BC-02 ¶ 1 Bullet 4 The Cloud Service Provider provides subject matter experts of the cloud customers with comprehensible and transparent information on the following recovery parameters of the cloud service, if required: Maximum tolerable downtime/Recovery Time Objective (RTO) BC-03 ¶ 1 Bullet 1 The Cloud Service Provider provides subject matter experts of the cloud customers with comprehensible and transparent information on the following recovery parameters of the cloud service, if required: Restore time until normal operation BC-03 ¶ 1 Bullet 5] | Systems Continuity | Preventive | |
| Establish, implement, and maintain Recovery Point Objectives for all in scope systems. CC ID 15719 [The Cloud Service Provider provides subject matter experts of the cloud customers with comprehensible and transparent information on the following recovery parameters of the cloud service, if required: Maximum allowable data loss/Recovery Point Objective (RPO) BC-03 ¶ 1 Bullet 2 {recovery level objective} The Cloud Service Provider provides subject matter experts of the cloud customers with comprehensible and transparent information on the following recovery parameters of the cloud service, if required: Recovery level (capacity related to regular operation) BC-03 ¶ 1 Bullet 4] | Systems Continuity | Preventive | |
| Reconfigure restored systems to meet the Recovery Point Objectives. CC ID 01256 | Configuration | Corrective | |
| Establish, implement, and maintain Recovery Time Objectives for all in scope systems. CC ID 11688 [Internal audits are supplemented by procedures to automatically monitor applicable requirements of policies and instructions with regard to the following aspects: Recovery time (time to completion of error handling); COM-03 ¶ 3 Bullet 4] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate critical third party dependencies to interested personnel and affected parties. CC ID 06816 [The communication of changes to the interfaces and dependencies takes place in a timely manner so that the affected organisations and third parties can react appropriately with organisational and technical measures before the changes take effect. OIS-03 ¶ 3 {security requirements} The policies and instructions describe at least the following aspects: Roles and dependencies on other organisations (especially cloud customers and subservice organisations); SP-01 ¶ 3 Bullet 4] | Behavior | Preventive | |
| Include the capacity of critical resources in the critical resource list. CC ID 17099 | Establish/Maintain Documentation | Preventive | |
| Include website continuity procedures in the continuity plan. CC ID 01380 | Establish/Maintain Documentation | Preventive | |
| Separate the alternate facility from the primary facility through geographic separation. CC ID 01394 [{separate} The cloud service is provided from more than two locations that provide each other with redundancy. The locations are sufficiently far apart to achieve georedundancy. If two locations fail at the same time, at least one third location is still available to prevent a total service failure. The georedundancy is designed in a way that ensures that the availability requirements specified in the service level agreement are met. The functionality of the redundancy is checked at least annually by suitable tests and exercises (cf. BCM-04 – Verification, updating and testing of business continuity). PS-02 ¶ 2] | Physical and Environmental Protection | Preventive | |
| Include technical preparation considerations for backup operations in the continuity plan. CC ID 01250 | Establish/Maintain Documentation | Preventive | |
| Include a backup rotation scheme in the backup policy. CC ID 16219 | Establish/Maintain Documentation | Preventive | |
| Include naming conventions in the backup policy. CC ID 16218 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain backup procedures for in scope systems. CC ID 01258 | Systems Continuity | Preventive | |
| Document the backup method and backup frequency on a case-by-case basis in the backup procedures. CC ID 01384 [Policies and instructions for data backup and recovery are documented, communicated and provided in accordance with SP-01 regarding the following aspects. The extent and frequency of data backups and the duration of data retention are consistent with the contractual agreements with the cloud customers and the Cloud Service Provider's operational continuity requirements for Recovery Time Objective (RTO) and Recovery Point Objective (RPO); OPS-06 ¶ 1 Bullet 1] | Systems Continuity | Preventive | |
| Disseminate and communicate the backup procedures to interested personnel and affected parties. CC ID 17271 [{data recovery} Policies and instructions for data backup and recovery are documented, communicated and provided in accordance with SP-01 regarding the following aspects. OPS-06 ¶ 1] | Communicate | Preventive | |
| Transport backup media in lockable electronic media storage containers. CC ID 01264 [{physical security measure} {be the same} The Cloud Service Provider transfers data to be backed up to a remote location or transports these on backup media to a remote location. If the data backup is transmitted to the remote location via a network, the data backup or the transmission of the data takes place in an encrypted form that corresponds to the state-of-the-art. The distance to the main site is chosen after sufficient consideration of the factors recovery times and impact of disasters on both sites. The physical and environmental security measures at the remote site are at the same level as at the main site. OPS-09 ¶ 1] | Data and Information Management | Preventive | |
| Store backup media in a fire-rated container which is not collocated with the operational system. CC ID 14289 | Systems Continuity | Preventive | |
| Identify the access methods for backup media at both the primary facility and the off-site electronic media storage facility. CC ID 01257 [Policies and instructions for data backup and recovery are documented, communicated and provided in accordance with SP-01 regarding the following aspects. Access to the backed-up data and the execution of restores is performed only by authorised persons; and OPS-06 ¶ 1 Bullet 3] | Data and Information Management | Preventive | |
| Establish, implement, and maintain security controls to protect offsite data. CC ID 16259 | Data and Information Management | Preventive | |
| Perform backup procedures for in scope systems. CC ID 11692 [Interfaces are available to conduct forensic analyses and perform backups of infrastructure components and their network communication. OPS-15 ¶ 2 Interfaces are available to conduct forensic analyses and perform backups of infrastructure components and their network communication. OPS-15 ¶ 2] | Process or Activity | Preventive | |
| Perform full backups in accordance with organizational standards. CC ID 16376 | Data and Information Management | Preventive | |
| Perform incremental backups in accordance with organizational standards. CC ID 16375 | Data and Information Management | Preventive | |
| Use virtual machine snapshots for full backups and changed block tracking (CBT) for incremental backups. CC ID 16374 | Data and Information Management | Preventive | |
| Encrypt backup data. CC ID 00958 [{encrypted format} Policies and instructions for data backup and recovery are documented, communicated and provided in accordance with SP-01 regarding the following aspects. Data is backed up in encrypted, state-of-the- art form; OPS-06 ¶ 1 Bullet 2 {physical security measure} {be the same} The Cloud Service Provider transfers data to be backed up to a remote location or transports these on backup media to a remote location. If the data backup is transmitted to the remote location via a network, the data backup or the transmission of the data takes place in an encrypted form that corresponds to the state-of-the-art. The distance to the main site is chosen after sufficient consideration of the factors recovery times and impact of disasters on both sites. The physical and environmental security measures at the remote site are at the same level as at the main site. OPS-09 ¶ 1] | Configuration | Preventive | |
| Include emergency communications procedures in the continuity plan. CC ID 00750 [{take into account} Business continuity plans and contingency plans take the following aspects into account: Defined communication channels, roles and responsibilities including notification of the customer; BCM-03 ¶ 2 Bullet 4] | Establish/Maintain Documentation | Preventive | |
| Review the beneficiaries of the insurance policy. CC ID 16563 | Business Processes | Detective | |
| Determine the adequacy of errors and omissions insurance in the organization's insurance policy. CC ID 13281 | Establish/Maintain Documentation | Detective | |
| Determine the adequacy of insurance coverage for items in transit in the organization's insurance policy. CC ID 13283 | Establish/Maintain Documentation | Detective | |
| Determine the adequacy of insurance coverage for employee fidelity in the organization's insurance policy. CC ID 13282 | Establish/Maintain Documentation | Detective | |
| Determine the adequacy of insurance coverage for assets in the organization's insurance policy. CC ID 14827 | Establish/Maintain Documentation | Preventive | |
| Determine the adequacy of insurance coverage for Information Technology assets in the organization's insurance policy. CC ID 13279 | Establish/Maintain Documentation | Preventive | |
| Determine the adequacy of insurance coverage for facilities in the organization's insurance policy. CC ID 13280 | Establish/Maintain Documentation | Preventive | |
| Determine the adequacy of insurance coverage for printed records in the organization's insurance policy. CC ID 13278 | Establish/Maintain Documentation | Preventive | |
| Determine the adequacy of media reconstruction in the organization's insurance policy. CC ID 13277 | Establish/Maintain Documentation | Detective | |
| Disseminate and communicate the business continuity program to interested personnel and affected parties. CC ID 17080 | Communicate | Preventive | |
| Disseminate and communicate the continuity plan to interested personnel and affected parties. CC ID 00760 [{take into account} Business continuity plans and contingency plans take the following aspects into account: Accessibility and comprehensibility of the plans for persons who are to act accordingly; BCM-03 ¶ 2 Bullet 2] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain Service Level Agreements for all alternate facilities. CC ID 00745 [If the Cloud Service Provider uses premises or buildings operated by third parties to provide the Cloud Service, the document describes which security requirements the Cloud Service Provider places on these third parties. PS-01 ¶ 3] | Establish/Maintain Documentation | Preventive | |
| Include alert processes in Service Level Agreements for alternate facilities. CC ID 17127 | Establish/Maintain Documentation | Preventive | |
| Include monitoring and logging processes in Service Level Agreements for alternate facilities. CC ID 17126 | Establish/Maintain Documentation | Preventive | |
| Include recovery time in Service Level Agreements for all alternate facilities. CC ID 16331 | Establish/Maintain Documentation | Preventive | |
| Include priority-of-service provisions in Service Level Agreements for all alternate facilities. CC ID 16330 | Establish/Maintain Documentation | Preventive | |
| Include backup media transportation in Service Level Agreements for alternate facilities. CC ID 16329 | Establish/Maintain Documentation | Preventive | |
| Include transportation services in Service Level Agreements for alternate facilities. CC ID 16328 | Establish/Maintain Documentation | Preventive | |
| Configure the alternate facility to meet the least needed operational capabilities. CC ID 01395 [The cloud service is provided from two locations that are redundant to each other. The locations meet the security requirements of the Cloud Service Provider (cf. PS-01 Security Concept) and are located in an adequate distance to each other to achieve operational redundancy. Operational redundancy is designed in a way that ensures that the availability requirements specified in the service level agreement are met. The functionality of the redundancy is checked at least annually by suitable tests and exercises (cf. BCM-04 – Verification, updating and testing of business continuity). PS-02 ¶ 1 {separate} The cloud service is provided from more than two locations that provide each other with redundancy. The locations are sufficiently far apart to achieve georedundancy. If two locations fail at the same time, at least one third location is still available to prevent a total service failure. The georedundancy is designed in a way that ensures that the availability requirements specified in the service level agreement are met. The functionality of the redundancy is checked at least annually by suitable tests and exercises (cf. BCM-04 – Verification, updating and testing of business continuity). PS-02 ¶ 2 {physical security measure} {be the same} The Cloud Service Provider transfers data to be backed up to a remote location or transports these on backup media to a remote location. If the data backup is transmitted to the remote location via a network, the data backup or the transmission of the data takes place in an encrypted form that corresponds to the state-of-the-art. The distance to the main site is chosen after sufficient consideration of the factors recovery times and impact of disasters on both sites. The physical and environmental security measures at the remote site are at the same level as at the main site. OPS-09 ¶ 1] | Configuration | Preventive | |
| Train personnel on the continuity plan. CC ID 00759 [{take into account} Business continuity plans and contingency plans take the following aspects into account: Accessibility and comprehensibility of the plans for persons who are to act accordingly; BCM-03 ¶ 2 Bullet 2] | Behavior | Preventive | |
| Include coordination and interfaces among third parties in continuity plan training. CC ID 17102 | Training | Preventive | |
| Include cross-team coordination in continuity plan training. CC ID 16235 | Training | Preventive | |
| Include stay at home order training in the continuity plan training. CC ID 14382 | Training | Preventive | |
| Include avoiding unnecessary travel in the stay at home order training. CC ID 14388 | Training | Preventive | |
| Include personal protection in continuity plan training. CC ID 14394 | Training | Preventive | |
| Establish, implement, and maintain a business continuity plan testing program. CC ID 14829 | Testing | Preventive | |
| Establish, implement, and maintain a continuity test plan. CC ID 04896 | Establish/Maintain Documentation | Preventive | |
| Include recovery procedures in the continuity test plan. CC ID 14876 [At the customer's request, the Cloud Service Provider inform the cloud customer of the results of the recovery tests. Recovery tests are embedded in the Cloud Service Provider's emergency management. OPS-08 ¶ 3] | Establish/Maintain Documentation | Preventive | |
| Test the continuity plan, as necessary. CC ID 00755 [{separate} The cloud service is provided from more than two locations that provide each other with redundancy. The locations are sufficiently far apart to achieve georedundancy. If two locations fail at the same time, at least one third location is still available to prevent a total service failure. The georedundancy is designed in a way that ensures that the availability requirements specified in the service level agreement are met. The functionality of the redundancy is checked at least annually by suitable tests and exercises (cf. BCM-04 – Verification, updating and testing of business continuity). PS-02 ¶ 2 Plan, implement, maintain and test procedures and measures for business continuity and emergency management. Section 5.14 Objective The business impact analysis, business continuity plans and contingency plans are reviewed, updated and tested on a regular basis (at least annually) or after significant organisational or environmental changes. Tests involve affected customers (tenants) and relevant third parties. The tests are documented and results are taken into account for future operational continuity measures. BCM-04 ¶ 1] | Testing | Detective | |
| Include the coordination and interfaces among third parties in the coverage of the scope of testing the continuity plan. CC ID 12769 [The business impact analysis, business continuity plans and contingency plans are reviewed, updated and tested on a regular basis (at least annually) or after significant organisational or environmental changes. Tests involve affected customers (tenants) and relevant third parties. The tests are documented and results are taken into account for future operational continuity measures. BCM-04 ¶ 1] | Testing | Preventive | |
| Involve senior management, as necessary, when testing the continuity plan. CC ID 13793 | Testing | Detective | |
| Test the continuity plan at the alternate facility. CC ID 01174 | Testing | Detective | |
| Document the continuity plan test results and provide them to interested personnel and affected parties. CC ID 06548 [The business impact analysis, business continuity plans and contingency plans are reviewed, updated and tested on a regular basis (at least annually) or after significant organisational or environmental changes. Tests involve affected customers (tenants) and relevant third parties. The tests are documented and results are taken into account for future operational continuity measures. BCM-04 ¶ 1] | Actionable Reports or Measurements | Preventive | |
| Address identified deficiencies in the continuity plan test results. CC ID 17209 [The business impact analysis, business continuity plans and contingency plans are reviewed, updated and tested on a regular basis (at least annually) or after significant organisational or environmental changes. Tests involve affected customers (tenants) and relevant third parties. The tests are documented and results are taken into account for future operational continuity measures. BCM-04 ¶ 1] | Testing | Preventive | |
| Notify interested personnel and affected parties of the time requirements for updating continuity plans. CC ID 17134 | Communicate | Preventive | |
| Approve the continuity plan test results. CC ID 15718 | Systems Continuity | Preventive | |
| Conduct full recovery and restoration of service testing for high impact systems at the alternate facility. CC ID 01404 [The cloud service is provided from two locations that are redundant to each other. The locations meet the security requirements of the Cloud Service Provider (cf. PS-01 Security Concept) and are located in an adequate distance to each other to achieve operational redundancy. Operational redundancy is designed in a way that ensures that the availability requirements specified in the service level agreement are met. The functionality of the redundancy is checked at least annually by suitable tests and exercises (cf. BCM-04 – Verification, updating and testing of business continuity). PS-02 ¶ 1] | Testing | Detective | |
Operational management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Operational management CC ID 00805 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a capacity management plan. CC ID 11751 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a capacity planning baseline. CC ID 13492 [The planning of capacities and resources (personnel and IT resources) follows an established procedure in order to avoid possible capacity bottlenecks. The procedures include forecasting future capacity requirements in order to identify usage trends and manage system overload. OPS-01 ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain future system capacity forecasting methods. CC ID 01617 [The planning of capacities and resources (personnel and IT resources) follows an established procedure in order to avoid possible capacity bottlenecks. The procedures include forecasting future capacity requirements in order to identify usage trends and manage system overload. OPS-01 ¶ 1 The forecasts are considered in accordance with the service level agreement for planning and preparing the provisioning. OPS-01 ¶ 3 Cloud Service Providers take appropriate measures to ensure that they continue to meet the requirements agreed with cloud customers for the provision of the cloud service in the event of capacity bottlenecks or outages regarding personnel and IT resources, in particular those relating to the dedicated use of system components, in accordance with the respective agreements. OPS-01 ¶ 2] | Business Processes | Preventive | |
| Align critical Information Technology resource availability planning with capacity planning. CC ID 01618 [Ensure proper and regular operation, including appropriate measures for planning and monitoring capacity, protection against malware, logging and monitoring events, and dealing with vulnerabilities, malfunctions and failures. Section 5.6 Objective] | Business Processes | Preventive | |
| Limit any effects of a Denial of Service attack. CC ID 06754 [Based on the results of a risk analysis carried out according to OIS-06, the Cloud Service Provider has implemented technical safeguards which are suitable to promptly detect and respond to network-based attacks on the basis of irregular incoming or outgoing traffic patterns and/ or Distributed Denial of Service (DDoS) attacks. Data from corresponding technical protection measures implemented is fed into a comprehensive SIEM (Security Information and Event Management) system, so that (counter) measures regarding correlating events can be initiated. The safeguards are documented, communicated and provided in accordance with SP-01. COS-01 ¶ 1] | Technical Security | Preventive | |
| Implement network redundancy, as necessary. CC ID 13048 [The connection to the telecommunications network is designed with sufficient redundancy so that the failure of a telecommunications network does not impair the security or performance of the Cloud Service Provider. PS-06 ¶ 4] | Systems Continuity | Preventive | |
| Manage cloud services. CC ID 13144 [For an attestation engagement, the Cloud Service Provider's service-related system of internal control to meet the C5 criteria shall include the following minimum content in order to provide customers with sufficient transparency about the information security of the cloud service: Policies, procedures and measures, including the controls implemented to provide (develop and operate) the cloud services with respect to the applicable C5 criteria; Section 3.4.4.1 ¶ 1 Bullet 5] | Business Processes | Preventive | |
| Refrain from implementing network elements in a public cloud. CC ID 16382 | Technical Security | Preventive | |
| Protect clients' hosted environments. CC ID 11862 | Physical and Environmental Protection | Preventive | |
| Notify interested personnel and affected parties of the geographic locations of the cloud service organization and its assets. CC ID 13037 [In the system description and the contractual agreements (e.g. service description), the Cloud Service Provider clearly provides comprehensible and transparent information on: System component locations, including its subcontractors, where the cloud customer's data is processed, stored and backed up. BC-01 ¶ 1 Bullet 2] | Communicate | Preventive | |
| Establish, implement, and maintain cloud service agreements. CC ID 13157 [In the system description and the contractual agreements (e.g. service description), the Cloud Service Provider clearly provides comprehensible and transparent information on: Its jurisdiction; and BC-01 ¶ 1 Bullet 1 In the system description and the contractual agreements (e.g. service description), the Cloud Service Provider clearly provides comprehensible and transparent information on: System component locations, including its subcontractors, where the cloud customer's data is processed, stored and backed up. BC-01 ¶ 1 Bullet 2 {technical safeguard} Technical and organisational safeguards for the monitoring and provisioning and de-provisioning of cloud services are defined. Thus, the Cloud Service Provider ensures that resources are provided and/or services are rendered according to the contractual agreements and that compliance with the service level agreements is ensured. OPS-02 ¶ 1 Policies and instructions for the secure handling of metadata (usage data) are documented, communicated and provided according to SP-01 with regard to the following aspects: Provision to cloud customers according to contractual agreements. OPS-11 ¶ 1 Bullet 6 {provision} {data} The design of the aspects is based on legal and regulatory requirements in the environment of the Cloud Service Provider. The Cloud Service Provider identifies the requirements regularly, at least once a year, and checks these for actuality and adjusts the contractual agreements accordingly. PI-02 ¶ 3 The Cloud Service Provider's procedures for deleting the cloud customers' data upon termination of the contractual relationship ensure compliance with the contractual agreements (cf. PI-02). PI-03 ¶ 1 The Cloud Service Provider has established procedures and technical safeguards to encrypt cloud customers' data during storage. The private keys used for encryption are known only to the cloud customer in accordance with applicable legal and regulatory obligations and requirements. Exceptions follow a specified procedure. The procedures for the use of private keys, including any exceptions, must be contractually agreed with the cloud customer. CRY-03 ¶ 1 Policies and instructions for controlling and monitoring third parties (e.g. service providers or suppliers) whose services contribute to the provision of the cloud service are documented, communicated and provided in accordance with SP-01 with respect to the following aspects: Specifications for the contractual agreement of these requirements; SSO-01 ¶ 1 Bullet 7 In contractual agreements, the following aspects are defined with regard to the termination of the contractual relationship, insofar as these are applicable to the cloud service: Type, scope and format of the data the Cloud Service Provider provides to the cloud customer; PI-02 ¶ 1 Bullet 1 {make available} In contractual agreements, the following aspects are defined with regard to the termination of the contractual relationship, insofar as these are applicable to the cloud service: Definition of the timeframe, within which the Cloud Service Provider makes the data available to the cloud customer; PI-02 ¶ 1 Bullet 2 {make inaccessible} In contractual agreements, the following aspects are defined with regard to the termination of the contractual relationship, insofar as these are applicable to the cloud service: Definition of the point in time as of which the Cloud Service Provider makes the data inaccessible to the cloud customer and deletes these; and PI-02 ¶ 1 Bullet 3] | Establish/Maintain Documentation | Preventive | |
| Include data sovereignty requirements in cloud service agreements. CC ID 16931 [{provision} {data} The design of the aspects is based on legal and regulatory requirements in the environment of the Cloud Service Provider. The Cloud Service Provider identifies the requirements regularly, at least once a year, and checks these for actuality and adjusts the contractual agreements accordingly. PI-02 ¶ 3] | Establish/Maintain Documentation | Preventive | |
| Include the asset removal policy in the cloud service agreement. CC ID 13161 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain cloud management procedures. CC ID 13149 [{is able} {specify} {locations} {data processing} {storage} This must be ensured by the cloud architecture. PSS-12 ¶ 2] | Technical Security | Preventive | |
| Establish, implement, and maintain a migration process and/or strategy to transfer systems from one asset to another. CC ID 16384 | Process or Activity | Preventive | |
| Define and enforce the deployment requirements for applications and virtual network devices in a public cloud. CC ID 16383 | Process or Activity | Preventive | |
| Include cloud security requirements in the cloud management procedures. CC ID 16366 [Provide policies and instructions regarding security requirements and to support business requirements. Section 5.2 Objective {information security policy} {legal and regulatory requirements} The review shall consider at least the following aspects: Legal and regulatory changes in the Cloud Service Provider's environment. SP-02 ¶ 2 Bullet 2 {technical safeguard} Technical and organisational safeguards for the monitoring and provisioning and de-provisioning of cloud services are defined. Thus, the Cloud Service Provider ensures that resources are provided and/or services are rendered according to the contractual agreements and that compliance with the service level agreements is ensured. OPS-02 ¶ 1 The Cloud Service Provider creates regular reports on the checks performed, which are reviewed and analysed by authorised bodies or committees. Policies and instructions describe the technical measures taken to securely configure and monitor the management console (both the customer's self-service and the service provider's cloud administration) to protect it from malware. Updates are applied at the highest frequency that the vendor(s) contractually offer(s). OPS-04 ¶ 2 {applicable requirements} The legal, regulatory, self-imposed and contractual requirements relevant to the information security of the cloud service as well as the Cloud Service Provider's procedures for complying with these requirements are explicitly defined and documented. COM-01 ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a cloud service usage standard. CC ID 13143 [{technical safeguard} Technical and organisational safeguards for the monitoring and provisioning and de-provisioning of cloud services are defined. Thus, the Cloud Service Provider ensures that resources are provided and/or services are rendered according to the contractual agreements and that compliance with the service level agreements is ensured. OPS-02 ¶ 1 The Cloud Service Provider provides cloud customers with guidelines and recommendations for the secure use of the cloud service provided. The information contained therein is intended to assist the cloud customer in the secure configuration, installation and use of the cloud service, to the extent applicable to the cloud service and the responsibility of the cloud user. PSS-01 ¶ 1 {secure use} The information is maintained so that it is applicable to the cloud service provided in the version intended for productive use. PSS-01 ¶ 3] | Establish/Maintain Documentation | Preventive | |
| Use strong data encryption when storing information within a cloud service. CC ID 16411 [The Cloud Service Provider has established procedures and technical safeguards to encrypt cloud customers' data during storage. The private keys used for encryption are known only to the cloud customer in accordance with applicable legal and regulatory obligations and requirements. Exceptions follow a specified procedure. The procedures for the use of private keys, including any exceptions, must be contractually agreed with the cloud customer. CRY-03 ¶ 1] | Technical Security | Preventive | |
| Include the roles and responsibilities of cloud service users in the cloud service usage standard. CC ID 13984 [In contractual agreements, the following aspects are defined with regard to the termination of the contractual relationship, insofar as these are applicable to the cloud service: The cloud customers' responsibilities and obligations to cooperate for the provision of the data. PI-02 ¶ 1 Bullet 4 Policies and instructions with technical and organisational safeguards for change management of system components of the cloud service within the scope of software deployment are documented, communicated and provided according to SP-01 with regard to the following aspects: Requirements for the proper information of cloud customers about the type and scope of the change as well as the resulting obligations to cooperate in accordance with the contractual agreements; DEV-03 ¶ 1 Bullet 4 The type and scope of the information provided will be based on the needs of subject matter experts of the cloud customers who set information security requirements, implement them or verify the implementation (e.g. IT, Compliance, Internal Audit). The information in the guidelines and recommendations for the secure use of the cloud service address the following aspects, where applicable to the cloud service: Services and functions for administration of the cloud service by privileged users. PSS-01 ¶ 2 Bullet 6] | Establish/Maintain Documentation | Preventive | |
| Include information security requirements in the cloud service usage standard. CC ID 13148 [{access roles} {access rights} The type and scope of the information provided will be based on the needs of subject matter experts of the cloud customers who set information security requirements, implement them or verify the implementation (e.g. IT, Compliance, Internal Audit). The information in the guidelines and recommendations for the secure use of the cloud service address the following aspects, where applicable to the cloud service: Roles and rights concept including combinations that result in an elevated risk; and PSS-01 ¶ 2 Bullet 5] | Establish/Maintain Documentation | Preventive | |
| Monitor managing cloud services. CC ID 13150 [{technical safeguard} Technical and organisational safeguards for the monitoring and provisioning and de-provisioning of cloud services are defined. Thus, the Cloud Service Provider ensures that resources are provided and/or services are rendered according to the contractual agreements and that compliance with the service level agreements is ensured. OPS-02 ¶ 1 The Cloud Service Provider creates regular reports on the checks performed, which are reviewed and analysed by authorised bodies or committees. Policies and instructions describe the technical measures taken to securely configure and monitor the management console (both the customer's self-service and the service provider's cloud administration) to protect it from malware. Updates are applied at the highest frequency that the vendor(s) contractually offer(s). OPS-04 ¶ 2 The Cloud Service Provider has established policies and instructions that govern the logging and monitoring of events on system components within its area of responsibility. These policies and instructions are documented, communicated and provided according to SP-01 with respect to the following aspects: OPS-10 ¶ 1 Ensure the protection of information that service providers or suppliers of the Cloud Service Provider (subcontractors) can access and monitor the agreed services and security requirements. Section 5.12 Objective] | Monitor and Evaluate Occurrences | Detective | |
| Disseminate and communicate documentation of pertinent monitoring capabilities to interested personnel and affected parties. CC ID 13159 [To monitor capacity and availability, the relevant information is available to the cloud customer in a self-service portal. OPS-02 ¶ 2 The cloud customer is informed by the Cloud Service Provider whenever internal or external employees of the Cloud Service Provider read or write to the cloud customer's data processed, stored or transmitted in the cloud service or have accessed it without the prior consent of the cloud customer. The Information is provided whenever data of the cloud customer is/was not encrypted, the encryption is/was disabled for access or the contractual agreements do not explicitly exclude such information. The information contains the cause, time, duration, type and scope of the access. The information is sufficiently detailed to enable subject matter experts of the cloud customer to assess the risks of the access. The information is provided in accordance with the contractual agreements, or within 72 hours after the access. IDM-07 ¶ 1 The cloud customer is informed by the Cloud Service Provider whenever internal or external employees of the Cloud Service Provider read or write to the cloud customer's data processed, stored or transmitted in the cloud service or have accessed it without the prior consent of the cloud customer. The Information is provided whenever data of the cloud customer is/was not encrypted, the encryption is/was disabled for access or the contractual agreements do not explicitly exclude such information. The information contains the cause, time, duration, type and scope of the access. The information is sufficiently detailed to enable subject matter experts of the cloud customer to assess the risks of the access. The information is provided in accordance with the contractual agreements, or within 72 hours after the access. IDM-07 ¶ 1 Policies and instructions for controlling and monitoring third parties (e.g. service providers or suppliers) whose services contribute to the provision of the cloud service are documented, communicated and provided in accordance with SP-01 with respect to the following aspects: Specifications for the monitoring of these requirements; and SSO-01 ¶ 1 Bullet 8 {be specific} {logical separation} The Cloud Service Provider provides a customer-specific logging (in terms of scope and duration of retention period) upon request of the Cloud Customer. Depending on the protection requirements of the Cloud Service Provider and the technical feasibility, a logical or physical separation of log and customer data is carried out. OPS-14 ¶ 3] | Communicate | Preventive | |
| Disseminate and communicate the legal jurisdiction of cloud services to interested personnel and affected parties. CC ID 13147 | Communicate | Preventive | |
| Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain security requirements based on applicable regulations. CC ID 16283 [{security requirements} The policies and instructions describe at least the following aspects: Applicable legal and regulatory requirements. SP-01 ¶ 3 Bullet 6] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an internal control framework. CC ID 00820 | Establish/Maintain Documentation | Preventive | |
| Define the scope for the internal control framework. CC ID 16325 [For an attestation engagement, the Cloud Service Provider's service-related system of internal control to meet the C5 criteria shall include the following minimum content in order to provide customers with sufficient transparency about the information security of the cloud service: Description of the system components for providing the cloud service; Section 3.4.4.1 ¶ 1 Bullet 2 {audit criteria} For an attestation engagement, the Cloud Service Provider's service-related system of internal control to meet the C5 criteria shall include the following minimum content in order to provide customers with sufficient transparency about the information security of the cloud service: Applicable C5 criteria; Section 3.4.4.1 ¶ 1 Bullet 4 For an attestation engagement, the Cloud Service Provider's service-related system of internal control to meet the C5 criteria shall include the following minimum content in order to provide customers with sufficient transparency about the information security of the cloud service: Complementary customer controls assumed in the design of the Cloud Service Provider's controls; and Section 3.4.4.1 ¶ 1 Bullet 7] | Business Processes | Preventive | |
| Include cloud services in the internal control framework. CC ID 17262 [For an attestation engagement, the Cloud Service Provider's service-related system of internal control to meet the C5 criteria shall include the following minimum content in order to provide customers with sufficient transparency about the information security of the cloud service: Name, type and scope of cloud services provided; Section 3.4.4.1 ¶ 1 Bullet 1] | Establish/Maintain Documentation | Preventive | |
| Include cloud security controls in the internal control framework. CC ID 17264 [For an attestation engagement, the Cloud Service Provider's service-related system of internal control to meet the C5 criteria shall include the following minimum content in order to provide customers with sufficient transparency about the information security of the cloud service: Name, type and scope of cloud services provided; Section 3.4.4.1 ¶ 1 Bullet 1 For an attestation engagement, the Cloud Service Provider's service-related system of internal control to meet the C5 criteria shall include the following minimum content in order to provide customers with sufficient transparency about the information security of the cloud service: Name, type and scope of cloud services provided; Section 3.4.4.1 ¶ 1 Bullet 1] | Establish/Maintain Documentation | Preventive | |
| Authorize and document all exceptions to the internal control framework. CC ID 06781 [For an attestation engagement, the Cloud Service Provider's service-related system of internal control to meet the C5 criteria shall include the following minimum content in order to provide customers with sufficient transparency about the information security of the cloud service: Dealing with significant events and conditions that represent exceptions to normal operation, such as security incidents or the failure of system components; Section 3.4.4.1 ¶ 1 Bullet 6] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an information security program. CC ID 00812 [Plan, implement, maintain and continuously improve the information security framework within the organisation Section 5.1 Objective The measures for setting up, implementing, maintaining and continuously improving the ISMS are documented. The documentation includes: OIS-01 ¶ 2 The Cloud Service Provider operates an information security management system (ISMS) in accordance with ISO/IEC 27001. The scope of the ISMS covers the Cloud Service Provider's organisational units, locations and procedures for providing the cloud service. OIS-01 ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Include communication management in the information security program. CC ID 12384 [Specific security requirements are designed, published and provided for establishing connections within the Cloud Service Provider's network. The security requirements define for the Cloud Service Provider's area of responsibility: which internal, cross-location communication is permitted; and COS-02 ¶ 1 Bullet 4 {security-related information} The information is detailed enough to allow cloud users to check the following aspects, insofar as they are applicable to the cloud service: Changes to security-relevant configuration parameters, error handling and logging mechanisms, user authentication, action authorisation, cryptography, and communication security. PSS-04 ¶ 2 Bullet 3] | Establish/Maintain Documentation | Preventive | |
| Include a continuous monitoring program in the information security program. CC ID 14323 | Establish/Maintain Documentation | Preventive | |
| Include change management procedures in the continuous monitoring plan. CC ID 16227 | Establish/Maintain Documentation | Preventive | |
| include recovery procedures in the continuous monitoring plan. CC ID 16226 [The procedures for monitoring compliance with the requirements are supplemented by automatic procedures relating to the following aspects: Recovery time (time until completion of error handling). SSO-04 ¶ 5 Bullet 4] | Establish/Maintain Documentation | Preventive | |
| Include mechanisms for decommissioning a system in the continuous monitoring plan. CC ID 16225 | Establish/Maintain Documentation | Preventive | |
| Include mechanisms for appeal and override in the continuous monitoring plan. CC ID 16223 | Establish/Maintain Documentation | Preventive | |
| Notify interested personnel and affected parties when irregularities are mitigated. CC ID 17117 | Communicate | Preventive | |
| Notify interested personnel and affected parties when continuous monitoring detects an irregularity. CC ID 17116 | Communicate | Preventive | |
| Include how the information security department is organized in the information security program. CC ID 12379 [{information security policy} The policy describes: the organisational structure for information security in the ISMS application area. OIS-02 ¶ 2 Bullet 4] | Establish/Maintain Documentation | Preventive | |
| Include mitigating supply chain risks in the information security program. CC ID 13352 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an information security policy. CC ID 11740 [The top management of the Cloud Service Provider has adopted an information security policy and communicated it to internal and external employees as well as cloud customers. OIS-02 ¶ 1 Policies and instructions (incl. concepts and guidelines) are derived from the information security policy and are documented according to a uniform structure. They are communicated and made available to all internal and external employees of the Cloud Service Provider in an appropriate manner. SP-01 ¶ 1 Information security policies and instructions are reviewed at least annually for adequacy by the Cloud Service Provider's subject matter experts. SP-02 ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Include data localization requirements in the information security policy. CC ID 16932 | Establish/Maintain Documentation | Preventive | |
| Include business processes in the information security policy. CC ID 16326 [Policies and instructions (incl. concepts and guidelines) are derived from the information security policy and are documented according to a uniform structure. They are communicated and made available to all internal and external employees of the Cloud Service Provider in an appropriate manner. SP-01 ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Include the information security strategy in the information security policy. CC ID 16125 [{security requirements} The policies and instructions describe at least the following aspects: Steps for the execution of the security strategy; and SP-01 ¶ 3 Bullet 5 {information security policy} The policy describes: the most important aspects of the security strategy to achieve the security objectives set; and OIS-02 ¶ 2 Bullet 3] | Establish/Maintain Documentation | Preventive | |
| Include a commitment to continuous improvement in the information security policy. CC ID 16123 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the information security policy. CC ID 16120 [{security requirements} The policies and instructions describe at least the following aspects: Roles and responsibilities, including staff qualification requirements and the establishment of substitution rules; SP-01 ¶ 3 Bullet 3] | Establish/Maintain Documentation | Preventive | |
| Include a commitment to the information security requirements in the information security policy. CC ID 13496 [{information security policy} The policy describes: the importance of information security, based on the requirements of cloud customers in relation to information security; OIS-02 ¶ 2 Bullet 1] | Establish/Maintain Documentation | Preventive | |
| Include information security objectives in the information security policy. CC ID 13493 [{security requirements} The policies and instructions describe at least the following aspects: Objectives; SP-01 ¶ 3 Bullet 1 {information security policy} The policy describes: the security objectives and the desired security level, based on the business goals and tasks of the Cloud Service Provider; OIS-02 ¶ 2 Bullet 2] | Establish/Maintain Documentation | Preventive | |
| Include notification procedures in the information security policy. CC ID 16842 | Establish/Maintain Documentation | Preventive | |
| Approve the information security policy at the organization's management level or higher. CC ID 11737 [{information security policy} Revised policies and instructions are approved before they become effective. SP-02 ¶ 3 {information security policy} The policies and instructions are version controlled and approved by the top management of the Cloud Service Provider or an authorised body. SP-01 ¶ 2] | Process or Activity | Preventive | |
| Establish, implement, and maintain information security procedures. CC ID 12006 | Business Processes | Preventive | |
| Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303 | Communicate | Preventive | |
| Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304 [{security requirements} The policies and instructions describe at least the following aspects: Roles and dependencies on other organisations (especially cloud customers and subservice organisations); SP-01 ¶ 3 Bullet 4] | Establish/Maintain Documentation | Preventive | |
| Define thresholds for approving information security activities in the information security program. CC ID 15702 | Process or Activity | Preventive | |
| Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739 [The top management of the Cloud Service Provider has adopted an information security policy and communicated it to internal and external employees as well as cloud customers. OIS-02 ¶ 1 Policies and instructions (incl. concepts and guidelines) are derived from the information security policy and are documented according to a uniform structure. They are communicated and made available to all internal and external employees of the Cloud Service Provider in an appropriate manner. SP-01 ¶ 1] | Communicate | Preventive | |
| Refrain from requiring supervision when users are accessing social media applications. CC ID 14011 | Business Processes | Preventive | |
| Refrain from requiring users to disclose social media account usernames or authenticators. CC ID 14009 | Business Processes | Preventive | |
| Require social media users to clarify that their communications do not represent the organization. CC ID 17046 | Communicate | Preventive | |
| Require social media users to identify themselves when communicating on behalf of the organization. CC ID 17044 | Communicate | Preventive | |
| Perform social network analysis, as necessary. CC ID 14864 | Investigate | Detective | |
| Establish, implement, and maintain operational control procedures. CC ID 00831 [Ensure proper and regular operation, including appropriate measures for planning and monitoring capacity, protection against malware, logging and monitoring events, and dealing with vulnerabilities, malfunctions and failures. Section 5.6 Objective] | Establish/Maintain Documentation | Preventive | |
| Define the nomenclature requirements in the operating instructions. CC ID 17112 | Establish/Maintain Documentation | Preventive | |
| Define the situations that require time information in the operating instructions. CC ID 17111 | Establish/Maintain Documentation | Preventive | |
| Implement alternative actions for oral communications not received or understood. CC ID 17122 | Communicate | Preventive | |
| Reissue operating instructions, as necessary. CC ID 17121 | Communicate | Preventive | |
| Include congestion management actions in the operational control procedures. CC ID 17135 | Establish/Maintain Documentation | Preventive | |
| Update the congestion management actions in a timely manner. CC ID 17145 | Establish/Maintain Documentation | Preventive | |
| Coordinate alternate congestion management actions with affected parties. CC ID 17136 | Process or Activity | Preventive | |
| Include actions to prevent system operating limit exceedances in the operational control procedures. CC ID 17138 | Process or Activity | Preventive | |
| Include actions to mitigate system operating limit exceedances in the operational control procedures. CC ID 17146 | Establish/Maintain Documentation | Preventive | |
| Confirm operating instructions were received by the interested personnel and affected parties. CC ID 17110 | Communicate | Detective | |
| Confirm the receiver's response to operating instructions received by oral communications. CC ID 17120 | Communicate | Preventive | |
| Include continuous monitoring in the operational control procedures. CC ID 17137 | Establish/Maintain Documentation | Preventive | |
| Repeat operating instructions received by oral communications to the issuer. CC ID 17119 | Communicate | Preventive | |
| Write operating instructions in the English language, unless agreement exists to use another language. CC ID 17109 | Establish/Maintain Documentation | Preventive | |
| Coordinate the transmission of electricity between affected parties. CC ID 17114 | Business Processes | Preventive | |
| Confirm the requirements for the transmission of electricity with the affected parties. CC ID 17113 | Behavior | Detective | |
| Include coordination amongst entities in the operational control procedures. CC ID 17147 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an outage coordination process. CC ID 17161 | Process or Activity | Preventive | |
| Coordinate outages with affected parties. CC ID 17160 | Process or Activity | Preventive | |
| Coordinate energy resource management with affected parties. CC ID 17150 | Process or Activity | Preventive | |
| Coordinate the control of voltage with affected parties. CC ID 17149 | Process or Activity | Preventive | |
| Coordinate energy shortages with affected parties. CC ID 17148 | Process or Activity | Preventive | |
| Include roles and responsibilities in the operational control procedures. CC ID 17159 | Establish/Maintain Documentation | Preventive | |
| Include alternative actions in the operational control procedures. CC ID 17096 | Establish/Maintain Documentation | Preventive | |
| Include change control processes in the operational control procedures. CC ID 16793 | Establish/Maintain Documentation | Preventive | |
| Approve or deny requests in a timely manner. CC ID 17095 | Process or Activity | Preventive | |
| Comply with requests from relevant parties unless justified in not complying. CC ID 17094 | Business Processes | Preventive | |
| Disseminate and communicate the operational control procedures to interested personnel and affected parties. CC ID 17151 [Based on the results of a risk analysis carried out according to OIS-06, the Cloud Service Provider has implemented technical safeguards which are suitable to promptly detect and respond to network-based attacks on the basis of irregular incoming or outgoing traffic patterns and/ or Distributed Denial of Service (DDoS) attacks. Data from corresponding technical protection measures implemented is fed into a comprehensive SIEM (Security Information and Event Management) system, so that (counter) measures regarding correlating events can be initiated. The safeguards are documented, communicated and provided in accordance with SP-01. COS-01 ¶ 1] | Communicate | Preventive | |
| Notify interested personnel and affected parties of inability to comply with compliance requirements. CC ID 17093 | Communicate | Preventive | |
| Use systems in accordance with the standard operating procedures manual. CC ID 15049 | Process or Activity | Preventive | |
| Include system use information in the standard operating procedures manual. CC ID 17240 | Establish/Maintain Documentation | Preventive | |
| Include metrics in the standard operating procedures manual. CC ID 14988 | Establish/Maintain Documentation | Preventive | |
| Include maintenance measures in the standard operating procedures manual. CC ID 14986 | Establish/Maintain Documentation | Preventive | |
| Include logging procedures in the standard operating procedures manual. CC ID 17214 | Establish/Maintain Documentation | Preventive | |
| Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984 | Establish/Maintain Documentation | Preventive | |
| Include resources in the standard operating procedures manual. CC ID 17212 | Establish/Maintain Documentation | Preventive | |
| Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982 | Establish/Maintain Documentation | Preventive | |
| Include human oversight measures in the standard operating procedures manual. CC ID 17213 | Establish/Maintain Documentation | Preventive | |
| Include predetermined changes in the standard operating procedures manual. CC ID 14977 | Establish/Maintain Documentation | Preventive | |
| Include specifications for input data in the standard operating procedures manual. CC ID 14975 | Establish/Maintain Documentation | Preventive | |
| Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973 | Establish/Maintain Documentation | Preventive | |
| Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972 | Establish/Maintain Documentation | Preventive | |
| Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969 | Establish/Maintain Documentation | Preventive | |
| Include the intended purpose in the standard operating procedures manual. CC ID 14967 | Establish/Maintain Documentation | Preventive | |
| Include information on system performance in the standard operating procedures manual. CC ID 14965 | Establish/Maintain Documentation | Preventive | |
| Include contact details in the standard operating procedures manual. CC ID 14962 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain information sharing agreements. CC ID 15645 | Business Processes | Preventive | |
| Provide support for information sharing activities. CC ID 15644 | Process or Activity | Preventive | |
| Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350 | Establish/Maintain Documentation | Preventive | |
| Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. CC ID 01351 [The Cloud Service Provider has an approval process for the use of hardware to be commissioned, which is used to provide the cloud service in the production environment, in which the risks arising from the commissioning are identified, analysed and mitigated. Approval is granted after verification of the secure configuration of the mechanisms for error handling, logging, encryption, authentication and authorisation according to the intended use and based on the applicable policies. AM-03 ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Include Bring Your Own Device agreements in the Acceptable Use Policy. CC ID 15703 | Establish/Maintain Documentation | Preventive | |
| Include the obligations of users in the Bring Your Own Device agreement. CC ID 15708 | Establish/Maintain Documentation | Preventive | |
| Include the rights of the organization in the Bring Your Own Device agreement. CC ID 15707 | Establish/Maintain Documentation | Preventive | |
| Include the circumstances in which the organization may confiscate, audit, or inspect assets in the Bring Your Own Device agreement. CC ID 15706 | Establish/Maintain Documentation | Preventive | |
| Include the circumstances in which the organization may manage assets in the Bring Your Own Device agreement. CC ID 15705 | Establish/Maintain Documentation | Preventive | |
| Include a web usage policy in the Acceptable Use Policy. CC ID 16496 | Establish/Maintain Documentation | Preventive | |
| Include asset tags in the Acceptable Use Policy. CC ID 01354 [{acceptable use policy} Policies and instructions for acceptable use and safe handling of assets are documented, communicated and provided in accordance with SP-01 and address the following aspects of the asset lifecycle as applicable to the asset: Classification and labelling based on the need for protection of the information and measures for the level of protection identified; AM-02 ¶ 1 Bullet 3 {acceptable use policy} Policies and instructions for acceptable use and safe handling of assets are documented, communicated and provided in accordance with SP-01 and address the following aspects of the asset lifecycle as applicable to the asset: Classification and labelling based on the need for protection of the information and measures for the level of protection identified; AM-02 ¶ 1 Bullet 3] | Establish/Maintain Documentation | Preventive | |
| Specify the owner of applicable assets in the Acceptable Use Policy. CC ID 15699 | Establish/Maintain Documentation | Preventive | |
| Include asset use policies in the Acceptable Use Policy. CC ID 01355 [{acceptable use policy} Policies and instructions for acceptable use and safe handling of assets are documented, communicated and provided in accordance with SP-01 and address the following aspects of the asset lifecycle as applicable to the asset: Restriction of software installations or use of services; AM-02 ¶ 1 Bullet 7] | Establish/Maintain Documentation | Preventive | |
| Include usage restrictions in the Acceptable Use Policy. CC ID 15311 [Personal data is automatically removed from the log data before the Cloud Service Provider processes it as far as technically possible. The removal is done in a way that allows the Cloud Service Provider to continue to use the log data for the purpose for which it was collected. OPS-11 ¶ 2] | Establish/Maintain Documentation | Preventive | |
| Include a software installation policy in the Acceptable Use Policy. CC ID 06749 [{acceptable use policy} Policies and instructions for acceptable use and safe handling of assets are documented, communicated and provided in accordance with SP-01 and address the following aspects of the asset lifecycle as applicable to the asset: Restriction of software installations or use of services; AM-02 ¶ 1 Bullet 7 {acceptable use policy} Policies and instructions for acceptable use and safe handling of assets are documented, communicated and provided in accordance with SP-01 and address the following aspects of the asset lifecycle as applicable to the asset: Handling of software for which support and security patches are not available anymore; AM-02 ¶ 1 Bullet 6] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties. CC ID 12431 [Policies and instructions for acceptable use and safe handling of assets are documented, communicated and provided in accordance with SP-01 and address the following aspects of the asset lifecycle as applicable to the asset: AM-02 ¶ 1] | Communicate | Preventive | |
| Establish, implement, and maintain a fax machine and multifunction device usage policy. CC ID 16962 | Establish/Maintain Documentation | Preventive | |
| Include contact lists in the fax machine and multifunction device usage policy. CC ID 16979 | Establish/Maintain Documentation | Preventive | |
| Include consequences in the fax machine and multifunction device usage policy. CC ID 16957 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the fax machine and multifunction device usage policy to interested personnel and affected parties. CC ID 16965 | Communicate | Preventive | |
| Validate recipients prior to sending electronic messages. CC ID 16981 | Business Processes | Preventive | |
| Establish, implement, and maintain a Global Address List. CC ID 16934 | Data and Information Management | Preventive | |
| Include roles and responsibilities in the e-mail policy. CC ID 17040 | Establish/Maintain Documentation | Preventive | |
| Include content requirements in the e-mail policy. CC ID 17041 | Establish/Maintain Documentation | Preventive | |
| Include the personal use of business e-mail in the e-mail policy. CC ID 17037 | Establish/Maintain Documentation | Preventive | |
| Include usage restrictions in the e-mail policy. CC ID 17039 | Establish/Maintain Documentation | Preventive | |
| Include business use of personal e-mail in the e-mail policy. CC ID 14381 | Establish/Maintain Documentation | Preventive | |
| Include message format requirements in the e-mail policy. CC ID 17038 | Establish/Maintain Documentation | Preventive | |
| Include the consequences of sending restricted data in the e-mail policy. CC ID 16970 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the e-mail policy to interested personnel and affected parties. CC ID 16980 | Communicate | Preventive | |
| Identify the sender in all electronic messages. CC ID 13996 | Data and Information Management | Preventive | |
| Establish, implement, and maintain nondisclosure agreements. CC ID 04536 [{nondisclosure agreement} The requirements must be documented and reviewed at regular intervals (at least annually). If the review shows that the requirements need to be adapted, the non-disclosure or confidentiality agreements are updated. HR-06 ¶ 3 {nondisclosure agreement} The non-disclosure or confidentiality agreements to be agreed with internal employees, external service providers and suppliers of the Cloud Service Provider are based on the requirements identified by the Cloud Service Provider for the protection of confidential information and operational details. HR-06 ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate nondisclosure agreements to interested personnel and affected parties. CC ID 16191 [{confidentiality agreement} The Cloud Service Provider must inform the internal employees, external service providers and suppliers and obtain confirmation of the updated confidentiality or non-disclosure agreement. HR-06 ¶ 4 {confidentiality agreement} The Cloud Service Provider must inform the internal employees, external service providers and suppliers and obtain confirmation of the updated confidentiality or non-disclosure agreement. HR-06 ¶ 4] | Communicate | Preventive | |
| Require interested personnel and affected parties to sign nondisclosure agreements. CC ID 06667 [The agreements are to be accepted by external service providers and suppliers when the contract is agreed. The agreements must be accepted by internal employees of the Cloud Service Provider before authorisation to access data of cloud customers is granted. HR-06 ¶ 2] | Establish/Maintain Documentation | Preventive | |
| Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 | Business Processes | Preventive | |
| Establish, implement, and maintain consequences for non-compliance with the organizational compliance framework. CC ID 11747 [In contractual agreements (e.g. service description), the Cloud Service Provider provides comprehensible, binding and transparent information on: Legal consequences of non-compliance. BC-02 ¶ 1 Bullet 5] | Process or Activity | Corrective | |
| Comply with all implemented policies in the organization's compliance framework. CC ID 06384 [{information security requirement} Avoid non-compliance with legal, regulatory, self-imposed or contractual information security and compliance requirements. Section 5.15 Objective] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a Service Management System. CC ID 13889 | Business Processes | Preventive | |
| Include all resources needed to achieve the objectives in the service management program. CC ID 11394 [Exit strategies are aligned with operational continuity plans and include the following aspects: Analysis of the potential costs, impacts, resources and timing of the transition of a purchased service to an alternative service provider or supplier; SSO-05 ¶ 2 Bullet 1] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a network management program. CC ID 13123 [The Cloud Service Provider validates the functionality of the SDN functions before providing new SDN features to cloud users or modifying existing SDN features. Identified defects are assessed and corrected in a risk-oriented manner. PSS-10 ¶ 2] | Establish/Maintain Documentation | Preventive | |
| Include quality of service requirements in the network management program. CC ID 16429 | Establish/Maintain Documentation | Preventive | |
| Document the network design in the network management program. CC ID 13135 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain network documentation. CC ID 16497 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the network standard to all interested personnel and affected parties. CC ID 13129 | Communicate | Preventive | |
| Establish, implement, and maintain an Asset Management program. CC ID 06630 [{centrally manage} Physical assets of internal and external employees are managed centrally. AM-05 ¶ 3] | Business Processes | Preventive | |
| Establish, implement, and maintain an asset management policy. CC ID 15219 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the asset management policy. CC ID 16424 | Business Processes | Preventive | |
| Establish, implement, and maintain asset management procedures. CC ID 16748 | Establish/Maintain Documentation | Preventive | |
| Define the requirements for where assets can be located. CC ID 17051 | Business Processes | Preventive | |
| Define and prioritize the importance of each asset in the asset management program. CC ID 16837 | Business Processes | Preventive | |
| Include life cycle requirements in the security management program. CC ID 16392 | Establish/Maintain Documentation | Preventive | |
| Include program objectives in the asset management program. CC ID 14413 | Establish/Maintain Documentation | Preventive | |
| Include a commitment to continual improvement in the asset management program. CC ID 14412 | Establish/Maintain Documentation | Preventive | |
| Include compliance with applicable requirements in the asset management program. CC ID 14411 | Establish/Maintain Documentation | Preventive | |
| Include installation requirements in the asset management program. CC ID 17195 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain administrative controls over all assets. CC ID 16400 | Business Processes | Preventive | |
| Establish, implement, and maintain classification schemes for all systems and assets. CC ID 01902 | Establish/Maintain Documentation | Preventive | |
| Apply security controls to each level of the information classification standard. CC ID 01903 [{be risk-based} Policies and instructions with technical and organisational safeguards for encryption procedures and key management are documented, communicated and provided according to SP-01, in which the following aspects are described: Risk-based provisions for the use of encryption which are aligned with the information classification schemes (cf. AM-06) and consider the communication channel, type, strength and quality of the encryption; CRY-01 ¶ 1 Bullet 2] | Systems Design, Build, and Implementation | Preventive | |
| Establish, implement, and maintain the systems' availability level. CC ID 01905 [The cloud provider provides subject matter experts of cloud customers with comprehensible and transparent information on the availability of the data centres used to provide the cloud service (including data centres operated by subcontractors), as needed. The information shows availability and downtime over one year according to industry standard classification schemes. The information enables cloud customers to assess the cloud service as part of their business impact analysis. BC-04 ¶ 1 The procedures for monitoring compliance with the requirements are supplemented by automatic procedures relating to the following aspects: Performance and availability of system components; SSO-04 ¶ 5 Bullet 2 Internal audits are supplemented by procedures to automatically monitor applicable requirements of policies and instructions with regard to the following aspects: Performance and availability of these system components; COM-03 ¶ 3 Bullet 2] | Establish/Maintain Documentation | Preventive | |
| Restrict unscheduled downtime in order to maintain high availability for critical systems. CC ID 12742 [The maximum tolerable downtimes of utility facilities are suitable for meeting the availability requirements contained in the service level agreement. PS-01 ¶ 9] | Process or Activity | Preventive | |
| Establish, implement, and maintain the Asset Classification Policy. CC ID 06642 [{acceptable use policy} Policies and instructions for acceptable use and safe handling of assets are documented, communicated and provided in accordance with SP-01 and address the following aspects of the asset lifecycle as applicable to the asset: Classification and labelling based on the need for protection of the information and measures for the level of protection identified; AM-02 ¶ 1 Bullet 3] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the Asset Classification Policy to interested personnel and affected parties. CC ID 14851 | Communicate | Preventive | |
| Classify assets according to the Asset Classification Policy. CC ID 07186 [Assets are classified and, if possible, labelled. Classification and labelling of an asset reflect the protection needs of the information it processes, stores, or transmits. AM-06 ¶ 1] | Establish Roles | Preventive | |
| Classify virtual systems by type and purpose. CC ID 16332 | Business Processes | Preventive | |
| Apply asset protection mechanisms for all assets according to their assigned Asset Classification Policy. CC ID 07184 [Identify the organisation's own assets and ensure an appropriate level of protection throughout their lifecycle. Section 5.4 Objective] | Establish Roles | Preventive | |
| Establish, implement, and maintain an asset inventory. CC ID 06631 [The Cloud Service Provider has established procedures for inventorying assets. AM-01 ¶ 1 The Cloud Service Provider operates or refers to a daily updated online register of known vulnerabilities that affect the Cloud Service Provider and assets provided by the Cloud Service Provider that the cloud customers have to install, provide or operate themselves under the customers responsibility PSS-03 ¶ 1] | Business Processes | Preventive | |
| Establish, implement, and maintain an Information Technology inventory with asset discovery audit trails. CC ID 00689 [{acceptable use policy} Policies and instructions for acceptable use and safe handling of assets are documented, communicated and provided in accordance with SP-01 and address the following aspects of the asset lifecycle as applicable to the asset: Inventory; AM-02 ¶ 1 Bullet 2] | Establish/Maintain Documentation | Preventive | |
| Include all account types in the Information Technology inventory. CC ID 13311 | Establish/Maintain Documentation | Preventive | |
| Add inventoried assets to the asset register database, as necessary. CC ID 07051 [Assets are recorded with the information needed to apply the Risk Management Procedure (cf. OIS-07), including the measures taken to manage these risks throughout the asset lifecycle. Changes to this information are logged. AM-01 ¶ 3] | Establish/Maintain Documentation | Preventive | |
| Use automated tools to collect Information Technology inventory information, as necessary. CC ID 07054 [{automate} {responsible personnel} The inventory is performed automatically and/or by the people or teams responsible for the assets to ensure complete, accurate, valid and consistent inventory throughout the asset lifecycle. AM-01 ¶ 2] | Technical Security | Preventive | |
| Link the authentication system to the asset inventory. CC ID 13718 | Technical Security | Preventive | |
| Record a unique name for each asset in the asset inventory. CC ID 16305 | Data and Information Management | Preventive | |
| Record the decommission date for applicable assets in the asset inventory. CC ID 14920 | Establish/Maintain Documentation | Preventive | |
| Record the status of information systems in the asset inventory. CC ID 16304 | Data and Information Management | Preventive | |
| Record the communication interfaces for applicable assets in the asset inventory. CC ID 16301 | Data and Information Management | Preventive | |
| Record the Uniform Resource Locator for applicable assets in the asset inventory. CC ID 14918 | Establish/Maintain Documentation | Preventive | |
| Include source code in the asset inventory. CC ID 14858 | Records Management | Preventive | |
| Record the review date for applicable assets in the asset inventory. CC ID 14919 | Establish/Maintain Documentation | Preventive | |
| Record services for applicable assets in the asset inventory. CC ID 13733 | Establish/Maintain Documentation | Preventive | |
| Record dependencies and interconnections between applicable assets in the asset inventory. CC ID 17196 | Data and Information Management | Preventive | |
| Record protocols for applicable assets in the asset inventory. CC ID 13734 | Establish/Maintain Documentation | Preventive | |
| Record the software version in the asset inventory. CC ID 12196 | Establish/Maintain Documentation | Preventive | |
| Record the publisher for applicable assets in the asset inventory. CC ID 13725 | Establish/Maintain Documentation | Preventive | |
| Record the authentication system in the asset inventory. CC ID 13724 | Establish/Maintain Documentation | Preventive | |
| Tag unsupported assets in the asset inventory. CC ID 13723 | Establish/Maintain Documentation | Preventive | |
| Record the vendor support end date for applicable assets in the asset inventory. CC ID 17194 | Data and Information Management | Preventive | |
| Record the install date for applicable assets in the asset inventory. CC ID 13720 | Establish/Maintain Documentation | Preventive | |
| Record the host name of applicable assets in the asset inventory. CC ID 13722 | Establish/Maintain Documentation | Preventive | |
| Record network ports for applicable assets in the asset inventory. CC ID 13730 | Establish/Maintain Documentation | Preventive | |
| Record the MAC address for applicable assets in the asset inventory. CC ID 13721 | Establish/Maintain Documentation | Preventive | |
| Record rooms at external locations in the asset inventory. CC ID 16302 | Data and Information Management | Preventive | |
| Record the firmware version for applicable assets in the asset inventory. CC ID 12195 | Establish/Maintain Documentation | Preventive | |
| Record trusted keys and certificates in the asset inventory. CC ID 15486 | Data and Information Management | Preventive | |
| Record cipher suites and protocols in the asset inventory. CC ID 15489 | Data and Information Management | Preventive | |
| Record all compliance requirements for applicable assets in the asset inventory. CC ID 15696 | Establish/Maintain Documentation | Preventive | |
| Record all changes to assets in the asset inventory. CC ID 12190 [Assets are recorded with the information needed to apply the Risk Management Procedure (cf. OIS-07), including the measures taken to manage these risks throughout the asset lifecycle. Changes to this information are logged. AM-01 ¶ 3] | Establish/Maintain Documentation | Preventive | |
| Prevent users from disabling required software. CC ID 16417 | Technical Security | Preventive | |
| Establish, implement, and maintain digital legacy procedures. CC ID 16524 | Establish/Maintain Documentation | Preventive | |
| Wipe all data on systems prior to when the system is redeployed or the system is disposed. CC ID 06401 [{acceptable use policy} Policies and instructions for acceptable use and safe handling of assets are documented, communicated and provided in accordance with SP-01 and address the following aspects of the asset lifecycle as applicable to the asset: Complete and irrevocable deletion of the data upon decommissioning. AM-02 ¶ 1 Bullet 12] | Data and Information Management | Preventive | |
| Reset systems to the default configuration prior to when the system is redeployed or the system is disposed. CC ID 16968 | Configuration | Preventive | |
| Establish, implement, and maintain a system disposal program. CC ID 14431 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain disposal procedures. CC ID 16513 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain asset sanitization procedures. CC ID 16511 [The decommissioning includes the complete and permanent deletion of the data or proper destruction of the media. AM-04 ¶ 2] | Establish/Maintain Documentation | Preventive | |
| Obtain management approval prior to disposing of information technology assets. CC ID 17270 [{acceptable use policy} Policies and instructions for acceptable use and safe handling of assets are documented, communicated and provided in accordance with SP-01 and address the following aspects of the asset lifecycle as applicable to the asset: Approval procedures for acquisition, commissioning, maintenance, decommissioning, and disposal by authorised personnel or system components; AM-02 ¶ 1 Bullet 1] | Business Processes | Preventive | |
| Destroy systems in accordance with the system disposal program. CC ID 16457 | Business Processes | Preventive | |
| Approve the release of systems and waste material into the public domain. CC ID 16461 | Business Processes | Preventive | |
| Establish, implement, and maintain system destruction procedures. CC ID 16474 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain printer and multifunction device disposition procedures. CC ID 15216 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a system preventive maintenance program. CC ID 00885 [{power supply facility} Measures to prevent the failure of the technical supply facilities required for the operation of system components with which information from cloud customers is processed, are documented and set up in accordance with the security requirements of the Cloud Service Provider (cf. PS-01 Security Concept) with respect to the following aspects: Maintenance (servicing, inspection, repair) of the utilities in accordance with the manufacturer's recommendations. PS-06 ¶ 1(c)] | Establish/Maintain Documentation | Preventive | |
| Include a list of assets that were removed or replaced during maintenance in the maintenance report. CC ID 17088 | Maintenance | Preventive | |
| Include a description of the maintenance performed in the maintenance report. CC ID 17087 | Maintenance | Preventive | |
| Include roles and responsibilities in the maintenance report. CC ID 17086 | Maintenance | Preventive | |
| Include the date and time of maintenance in the maintenance report. CC ID 17085 | Maintenance | Preventive | |
| Establish, implement, and maintain a system maintenance policy. CC ID 14032 | Establish/Maintain Documentation | Preventive | |
| Include compliance requirements in the system maintenance policy. CC ID 14217 | Establish/Maintain Documentation | Preventive | |
| Include management commitment in the system maintenance policy. CC ID 14216 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the system maintenance policy. CC ID 14215 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the system maintenance policy. CC ID 14214 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the system maintenance policy to interested personnel and affected parties. CC ID 14213 | Communicate | Preventive | |
| Include the purpose in the system maintenance policy. CC ID 14187 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the system maintenance policy. CC ID 14181 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain system maintenance procedures. CC ID 14059 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the system maintenance procedures to interested personnel and affected parties. CC ID 14194 | Communicate | Preventive | |
| Establish, implement, and maintain a technology refresh schedule. CC ID 16940 | Establish/Maintain Documentation | Preventive | |
| Provide advice regarding the establishment and implementation of an information technology refresh plan. CC ID 16938 | Communicate | Preventive | |
| Plan and conduct maintenance so that it does not interfere with scheduled operations. CC ID 06389 [Policies and instructions for planning and conducting audits are documented, communicated and made available in accordance with SP-01 and address the following aspects: Activities that may result in malfunctions to the cloud service or breaches of contractual requirements are performed during scheduled maintenance windows or outside peak periods; and COM-02 ¶ 1 Bullet 2] | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain compensating controls for system components when third party support is no longer available. CC ID 17174 | Process or Activity | Preventive | |
| Obtain approval before removing maintenance tools from the facility. CC ID 14298 | Business Processes | Preventive | |
| Log the performance of all remote maintenance. CC ID 13202 | Log Management | Preventive | |
| Conduct offsite maintenance in authorized facilities. CC ID 16473 | Maintenance | Preventive | |
| Disconnect non-volatile media from information systems prior to performing maintenance with uncleared personnel. CC ID 14295 | Maintenance | Preventive | |
| Sanitize volatile media in information systems prior to performing maintenance with uncleared personnel. CC ID 14291 | Maintenance | Preventive | |
| Perform periodic maintenance according to organizational standards. CC ID 01435 | Behavior | Preventive | |
| Restart systems on a periodic basis. CC ID 16498 | Maintenance | Preventive | |
| Remove components being serviced from the information system prior to performing maintenance. CC ID 14251 | Maintenance | Preventive | |
| Control granting access to appropriate parties performing maintenance on organizational assets. CC ID 11873 [{acceptable use policy} Policies and instructions for acceptable use and safe handling of assets are documented, communicated and provided in accordance with SP-01 and address the following aspects of the asset lifecycle as applicable to the asset: Approval procedures for acquisition, commissioning, maintenance, decommissioning, and disposal by authorised personnel or system components; AM-02 ¶ 1 Bullet 1] | Human Resources Management | Preventive | |
| Identify and authenticate appropriate parties prior to granting access to maintain assets. CC ID 11874 | Physical and Environmental Protection | Preventive | |
| Implement automated mechanisms to transfer predictive maintenance data to a maintenance management system. CC ID 10616 | Process or Activity | Preventive | |
| Refrain from protecting physical assets when no longer required. CC ID 13484 | Physical and Environmental Protection | Corrective | |
| Establish, implement, and maintain an end-of-life management process. CC ID 16540 [The decommissioning of hardware used to operate system components supporting the cloud service production environment under the responsibility of the Cloud Service Provider requires approval based on the applicable policies. AM-04 ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate end-of-life information for system components to interested personnel and affected parties. CC ID 16937 | Communicate | Preventive | |
| Refrain from placing assets being disposed into organizational dumpsters. CC ID 12200 | Business Processes | Preventive | |
| Establish, implement, and maintain disposal contracts. CC ID 12199 | Establish/Maintain Documentation | Preventive | |
| Include disposal procedures in disposal contracts. CC ID 13905 | Establish/Maintain Documentation | Preventive | |
| Remove asset tags prior to disposal of an asset. CC ID 12198 | Business Processes | Preventive | |
| Establish, implement, and maintain a customer service program. CC ID 00846 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an Incident Management program. CC ID 00853 | Business Processes | Preventive | |
| Include incident escalation procedures in the Incident Management program. CC ID 00856 [Ensure a consistent and comprehensive approach to the capture, assessment, communication and escalation of security incidents. Section 5.13 Objective The Cloud Service Provider defines guidelines for the classification, prioritisation and escalation of security incidents and creates interfaces to the incident management and business continuity management. SIM-01 ¶ 2] | Establish/Maintain Documentation | Preventive | |
| Define the characteristics of the Incident Management program. CC ID 00855 | Establish/Maintain Documentation | Preventive | |
| Include the criteria for an incident in the Incident Management program. CC ID 12173 [The Cloud Service Provider has established policies and instructions that govern the logging and monitoring of events on system components within its area of responsibility. These policies and instructions are documented, communicated and provided according to SP-01 with respect to the following aspects: Definition of events that could lead to a violation of the protection goals; OPS-10 ¶ 1 Bullet 1] | Establish/Maintain Documentation | Preventive | |
| Include a definition of affected transactions in the incident criteria. CC ID 17180 | Establish/Maintain Documentation | Preventive | |
| Include a definition of affected parties in the incident criteria. CC ID 17179 | Establish/Maintain Documentation | Preventive | |
| Include incident monitoring procedures in the Incident Management program. CC ID 01207 [Mechanisms are in place to measure and monitor the type and scope of security incidents and to report them to support agencies. The information obtained from the evaluation is used to identify recurrent or significant incidents and to identify the need for further protection. SIM-05 ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Categorize the incident following an incident response. CC ID 13208 [Identified violations and deviations are subjected to analysis, evaluation and treatment in accordance with the risk management procedure (cf. OIS-07). SSO-04 ¶ 4 Subject matter experts of the Cloud Service Provider, together with external security providers where appropriate, classify, prioritise and perform root-cause analyses for events that could constitute a security incident. SIM-02 ¶ 1] | Technical Security | Preventive | |
| Define and document the criteria to be used in categorizing incidents. CC ID 10033 [The Cloud Service Provider defines guidelines for the classification, prioritisation and escalation of security incidents and creates interfaces to the incident management and business continuity management. SIM-01 ¶ 2] | Establish/Maintain Documentation | Preventive | |
| Determine the cost of the incident when assessing security incidents. CC ID 17188 | Process or Activity | Detective | |
| Determine the duration of unscheduled downtime when assessing security incidents CC ID 17182 [Policies and instructions to determine the impact of any malfunction to the cloud service or enterprise are documented, communicated and made available in accordance with SP-01. The following aspects are considered as minimum: Determination of the maximum acceptable duration of malfunctions; BCM-02 ¶ 1 Bullet 6] | Process or Activity | Detective | |
| Determine the duration of the incident when assessing security incidents. CC ID 17181 | Process or Activity | Detective | |
| Require personnel to monitor for and report known or suspected compromise of assets. CC ID 16453 | Monitor and Evaluate Occurrences | Detective | |
| Require personnel to monitor for and report suspicious account activity. CC ID 16462 | Monitor and Evaluate Occurrences | Detective | |
| Respond to and triage when an incident is detected. CC ID 06942 [Identified violations and deviations are subjected to analysis, evaluation and treatment in accordance with the risk management procedure (cf. OIS-07). SSO-04 ¶ 4 Subject matter experts of the Cloud Service Provider, together with external security providers where appropriate, classify, prioritise and perform root-cause analyses for events that could constitute a security incident. SIM-02 ¶ 1 The Cloud Service Provider defines guidelines for the classification, prioritisation and escalation of security incidents and creates interfaces to the incident management and business continuity management. SIM-01 ¶ 2] | Monitor and Evaluate Occurrences | Detective | |
| Escalate incidents, as necessary. CC ID 14861 | Monitor and Evaluate Occurrences | Corrective | |
| Include support from law enforcement authorities when conducting incident response activities, as necessary. CC ID 13197 | Process or Activity | Corrective | |
| Coordinate incident response activities with interested personnel and affected parties. CC ID 13196 [The Cloud Service Provider periodically informs the cloud customer on the status of incidents affecting the cloud customer, or, where appropriate and necessary, involve the customer in the resolution, in a manner consistent with the contractual agreements. OPS-21 ¶ 1 {incident response report} The customer can either actively approve solutions or the solution is automatically approved after a certain period. SIM-03 ¶ 2 The Cloud Service Provider defines guidelines for the classification, prioritisation and escalation of security incidents and creates interfaces to the incident management and business continuity management. SIM-01 ¶ 2] | Process or Activity | Corrective | |
| Wipe data and memory after an incident has been detected. CC ID 16850 | Technical Security | Corrective | |
| Include the investigation methodology in the forensic investigation report. CC ID 17071 | Establish/Maintain Documentation | Preventive | |
| Include corrective actions in the forensic investigation report. CC ID 17070 | Establish/Maintain Documentation | Preventive | |
| Include the investigation results in the forensic investigation report. CC ID 17069 | Establish/Maintain Documentation | Preventive | |
| Assess all incidents to determine what information was accessed. CC ID 01226 [Identified violations and deviations are subjected to analysis, evaluation and treatment in accordance with the risk management procedure (cf. OIS-07). SSO-04 ¶ 4 Ensure a consistent and comprehensive approach to the capture, assessment, communication and escalation of security incidents. Section 5.13 Objective] | Testing | Corrective | |
| Analyze the incident response process following an incident response. CC ID 13179 [Internal audits are supplemented by procedures to automatically monitor applicable requirements of policies and instructions with regard to the following aspects: Response time to malfunctions and security incidents; COM-03 ¶ 3 Bullet 3] | Investigate | Detective | |
| Share incident information with interested personnel and affected parties. CC ID 01212 [The Cloud Service Provider periodically informs the cloud customer on the status of incidents affecting the cloud customer, or, where appropriate and necessary, involve the customer in the resolution, in a manner consistent with the contractual agreements. OPS-21 ¶ 1 Identified events are automatically reported to the appropriate departments for prompt evaluation and action. OPS-13 ¶ 2 Information on security incidents or confirmed security breaches is made available to all affected customers. SIM-03 ¶ 3 Ensure a consistent and comprehensive approach to the capture, assessment, communication and escalation of security incidents. Section 5.13 Objective] | Data and Information Management | Corrective | |
| Comply with privacy regulations and civil liberties requirements when sharing data loss event information. CC ID 10036 [{be transparent} {not reveal} An incident is typically significant when it affects multiple cloud customers and the Cloud Service Provider informs the affected parties or the public. The information about the incidents and the protection measures put in place should be as transparent as possible, without revealing vulnerability or potential points of attack. Furthermore, the reporting must not jeopardise the confidentiality of information concerning individual cloud customers and should therefore not contain a detailed description of individual incidents. Section 3.4.4.1 ¶ 4] | Data and Information Management | Preventive | |
| Redact restricted data before sharing incident information. CC ID 16994 | Data and Information Management | Preventive | |
| Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539 | Communicate | Preventive | |
| Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538 | Communicate | Preventive | |
| Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547 | Establish/Maintain Documentation | Preventive | |
| Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797 | Communicate | Preventive | |
| Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782 | Communicate | Preventive | |
| Include data loss event notifications in the Incident Response program. CC ID 00364 | Establish/Maintain Documentation | Preventive | |
| Notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00365 [Customers affected by security incidents are informed in a timely and appropriate manner. SIM-01 ¶ 4] | Behavior | Corrective | |
| Include required information in the written request to delay the notification to affected parties. CC ID 16785 | Establish/Maintain Documentation | Preventive | |
| Submit written requests to delay the notification of affected parties. CC ID 16783 | Communicate | Preventive | |
| Revoke the written request to delay the notification. CC ID 16843 | Process or Activity | Preventive | |
| Avoid false positive incident response notifications. CC ID 04732 [{false positive} In addition, the Cloud Service Provider communicates that "false reports" of events that do not subsequently turn out to be incidents do not have any negative consequences. SIM-04 ¶ 2] | Behavior | Detective | |
| Establish, implement, and maintain incident response notifications. CC ID 12975 [{take into account} Business continuity plans and contingency plans take the following aspects into account: Defined communication channels, roles and responsibilities including notification of the customer; BCM-03 ¶ 2 Bullet 4] | Establish/Maintain Documentation | Corrective | |
| Refrain from charging for providing incident response notifications. CC ID 13876 | Business Processes | Preventive | |
| Refrain from including restricted information in the incident response notification. CC ID 16806 | Actionable Reports or Measurements | Preventive | |
| Include the affected parties rights in the incident response notification. CC ID 16811 | Establish/Maintain Documentation | Preventive | |
| Include the incident classification criteria in incident response notifications. CC ID 17293 | Establish/Maintain Documentation | Preventive | |
| Include details of the investigation in incident response notifications. CC ID 12296 | Establish/Maintain Documentation | Preventive | |
| Include the issuer's name in incident response notifications. CC ID 12062 | Establish/Maintain Documentation | Preventive | |
| Include the incident reference code in incident response notifications. CC ID 17292 | Establish/Maintain Documentation | Preventive | |
| Include a general description of the data loss event in incident response notifications. CC ID 04734 [{be transparent} {not reveal} An incident is typically significant when it affects multiple cloud customers and the Cloud Service Provider informs the affected parties or the public. The information about the incidents and the protection measures put in place should be as transparent as possible, without revealing vulnerability or potential points of attack. Furthermore, the reporting must not jeopardise the confidentiality of information concerning individual cloud customers and should therefore not contain a detailed description of individual incidents. Section 3.4.4.1 ¶ 4] | Establish/Maintain Documentation | Preventive | |
| Include the identification of the data source in incident response notifications. CC ID 12305 | Establish/Maintain Documentation | Preventive | |
| Include activations of the business continuity plan in incident response notifications. CC ID 17295 | Establish/Maintain Documentation | Preventive | |
| Include costs associated with the incident in incident response notifications. CC ID 17300 | Establish/Maintain Documentation | Preventive | |
| Include the reporting individual's contact information in incident response notifications. CC ID 12297 | Establish/Maintain Documentation | Preventive | |
| Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767 | Communicate | Corrective | |
| Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766 | Business Processes | Corrective | |
| Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085 | Communicate | Preventive | |
| Post the incident response notification on the organization's website. CC ID 16809 | Process or Activity | Preventive | |
| Document the determination for providing a substitute incident response notification. CC ID 16841 | Process or Activity | Preventive | |
| Include contact information in the substitute incident response notification. CC ID 16776 | Establish/Maintain Documentation | Preventive | |
| Notify interested personnel and affected parties of the privacy breach about any recovered restricted data. CC ID 13347 | Communicate | Corrective | |
| Establish, implement, and maintain a containment strategy. CC ID 13480 | Establish/Maintain Documentation | Preventive | |
| Include the containment approach in the containment strategy. CC ID 13486 | Establish/Maintain Documentation | Preventive | |
| Include response times in the containment strategy. CC ID 13485 [The procedures for monitoring compliance with the requirements are supplemented by automatic procedures relating to the following aspects: Response time to malfunctions and security incidents; and SSO-04 ¶ 5 Bullet 3] | Establish/Maintain Documentation | Preventive | |
| Include a description of the restored data that was restored manually in the restoration log. CC ID 15463 | Data and Information Management | Preventive | |
| Include a description of the restored data in the restoration log. CC ID 15462 | Data and Information Management | Preventive | |
| Log incidents in the Incident Management audit log. CC ID 00857 [Ensure a consistent and comprehensive approach to the capture, assessment, communication and escalation of security incidents. Section 5.13 Objective] | Establish/Maintain Documentation | Preventive | |
| Include who the incident was reported to in the incident management audit log. CC ID 16487 | Log Management | Preventive | |
| Include the information that was exchanged in the incident management audit log. CC ID 16995 | Log Management | Preventive | |
| Include corrective actions in the incident management audit log. CC ID 16466 | Establish/Maintain Documentation | Preventive | |
| Include incident reporting procedures in the Incident Management program. CC ID 11772 [Mechanisms are in place to measure and monitor the type and scope of security incidents and to report them to support agencies. The information obtained from the evaluation is used to identify recurrent or significant incidents and to identify the need for further protection. SIM-05 ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an Incident Response program. CC ID 00579 | Establish/Maintain Documentation | Preventive | |
| Create an incident response report. CC ID 12700 | Establish/Maintain Documentation | Preventive | |
| Include corrective action taken to eradicate the incident in the incident response report. CC ID 12708 [As soon as an incident has been resolved from the Cloud Service Provider's perspective, the cloud customer is informed according to the contractual agreements, about the actions taken. OPS-21 ¶ 2 After a security incident has been processed, the solution is documented in accordance with the contractual agreements and the report is sent to the affected customers for final acknowledgement or, if applicable, as confirmation. SIM-03 ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an incident response plan. CC ID 12056 | Establish/Maintain Documentation | Preventive | |
| Include addressing information sharing in the incident response plan. CC ID 13349 [{be transparent} {not reveal} An incident is typically significant when it affects multiple cloud customers and the Cloud Service Provider informs the affected parties or the public. The information about the incidents and the protection measures put in place should be as transparent as possible, without revealing vulnerability or potential points of attack. Furthermore, the reporting must not jeopardise the confidentiality of information concerning individual cloud customers and should therefore not contain a detailed description of individual incidents. Section 3.4.4.1 ¶ 4] | Establish/Maintain Documentation | Preventive | |
| Include root cause analysis in the incident response plan. CC ID 16423 [Subject matter experts of the Cloud Service Provider, together with external security providers where appropriate, classify, prioritise and perform root-cause analyses for events that could constitute a security incident. SIM-02 ¶ 1 There are instructions as to how the data of a suspicious system can be collected in a conclusive manner in the event of a security incident. In addition, there are analysis plans for typical security incidents and an evaluation methodology so that the collected information does not lose its evidential value in any subsequent legal assessment. SIM-01 ¶ 5] | Establish/Maintain Documentation | Preventive | |
| Include incident response team structures in the Incident Response program. CC ID 01237 [In addition, the Cloud Service Provider has set up a "Computer Emergency Response Team" (CERT), which contributes to the coordinated resolution of occurring security incidents. SIM-01 ¶ 3] | Establish/Maintain Documentation | Preventive | |
| Notify interested personnel and affected parties that a security breach was detected. CC ID 11788 [Information on security incidents or confirmed security breaches is made available to all affected customers. SIM-03 ¶ 3] | Communicate | Corrective | |
| Include identifying remediation actions in the incident response plan. CC ID 13354 | Establish/Maintain Documentation | Preventive | |
| Include the incident response training program in the Incident Response program. CC ID 06750 [The Cloud Service Provider operates a target group-oriented security awareness and training program, which is completed by all internal and external employees of the Cloud Service Provider on a regular basis. The program is regularly updated based on changes to policies and instructions and the current threat situation and includes the following aspects: Correct behaviour in the event of security incidents. HR-03 ¶ 1 Bullet 4] | Establish/Maintain Documentation | Preventive | |
| Incorporate realistic exercises that are tested into the incident response training program. CC ID 06753 [In addition to the tests, exercises are also carried out which, among other things, have resulted in scenarios from security incidents that have already occurred in the past. BCM-04 ¶ 2] | Behavior | Preventive | |
| Establish, implement, and maintain an incident response policy. CC ID 14024 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the incident response policy to interested personnel and affected parties. CC ID 14099 [Policies and instructions with technical and organisational safeguards are documented, communicated and provided in accordance with SP-01 to ensure a fast, effective and proper response to all known security incidents. SIM-01 ¶ 1] | Communicate | Preventive | |
| Establish, implement, and maintain incident response procedures. CC ID 01206 [{acceptable use policy} Policies and instructions for acceptable use and safe handling of assets are documented, communicated and provided in accordance with SP-01 and address the following aspects of the asset lifecycle as applicable to the asset: dealing with incidents and vulnerabilities; and AM-02 ¶ 1 Bullet 11] | Establish/Maintain Documentation | Detective | |
| Establish, implement, and maintain a digital forensic evidence framework. CC ID 08652 [Interfaces are available to conduct forensic analyses and perform backups of infrastructure components and their network communication. OPS-15 ¶ 2 Interfaces are available to conduct forensic analyses and perform backups of infrastructure components and their network communication. OPS-15 ¶ 2] | Establish/Maintain Documentation | Preventive | |
| Include time information in the chain of custody. CC ID 17068 | Log Management | Preventive | |
| Include actions performed on evidence in the chain of custody. CC ID 17067 | Log Management | Preventive | |
| Include individuals who had custody of evidence in the chain of custody. CC ID 17066 | Log Management | Preventive | |
| Establish, implement, and maintain a digital forensic evidence collection program. CC ID 08655 [There are instructions as to how the data of a suspicious system can be collected in a conclusive manner in the event of a security incident. In addition, there are analysis plans for typical security incidents and an evaluation methodology so that the collected information does not lose its evidential value in any subsequent legal assessment. SIM-01 ¶ 5] | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the digital forensic evidence collection program. CC ID 15724 | Establish/Maintain Documentation | Preventive | |
| Prepare digital forensic equipment. CC ID 08688 | Investigate | Detective | |
| Collect evidence from the incident scene. CC ID 02236 | Business Processes | Corrective | |
| Follow all applicable laws and principles when collecting digital forensic evidence. CC ID 08672 [There are instructions as to how the data of a suspicious system can be collected in a conclusive manner in the event of a security incident. In addition, there are analysis plans for typical security incidents and an evaluation methodology so that the collected information does not lose its evidential value in any subsequent legal assessment. SIM-01 ¶ 5] | Investigate | Detective | |
| Disseminate and communicate the incident response procedures to all interested personnel and affected parties. CC ID 01215 [Interfaces and dependencies between cloud service delivery activities performed by the Cloud Service Provider and activities performed by third parties are documented and communicated. This includes dealing with the following events: Security incidents; and OIS-03 ¶ 1 Bullet 2] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the final incident report, which includes the investigation results and any remediation activity results. CC ID 12306 [After a security incident has been processed, the solution is documented in accordance with the contractual agreements and the report is sent to the affected customers for final acknowledgement or, if applicable, as confirmation. SIM-03 ¶ 1] | Actionable Reports or Measurements | Preventive | |
| Test the incident response procedures. CC ID 01216 [The Cloud Service Provider simulates the identification, analysis and defence of security incidents and attacks at least once a year through appropriate tests and exercises (e.g. Red Team training). SIM-02 ¶ 2] | Testing | Detective | |
| Document the results of incident response tests and provide them to senior management. CC ID 14857 | Actionable Reports or Measurements | Preventive | |
| Establish, implement, and maintain system performance monitoring procedures. CC ID 11752 [Internal audits are supplemented by procedures to automatically monitor applicable requirements of policies and instructions with regard to the following aspects: Performance and availability of these system components; COM-03 ¶ 3 Bullet 2] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a Service Level Agreement framework. CC ID 00839 | Establish/Maintain Documentation | Preventive | |
| Include exceptions in the Service Level Agreements, as necessary. CC ID 13912 [The Cloud Service Provider has established procedures and technical safeguards to encrypt cloud customers' data during storage. The private keys used for encryption are known only to the cloud customer in accordance with applicable legal and regulatory obligations and requirements. Exceptions follow a specified procedure. The procedures for the use of private keys, including any exceptions, must be contractually agreed with the cloud customer. CRY-03 ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Include availability requirements in Service Level Agreements. CC ID 13095 [In contractual agreements (e.g. service description), the Cloud Service Provider provides comprehensible, binding and transparent information on: Availability of the cloud service; BC-02 ¶ 1 Bullet 1 The cloud service is provided from two locations that are redundant to each other. The locations meet the security requirements of the Cloud Service Provider (cf. PS-01 Security Concept) and are located in an adequate distance to each other to achieve operational redundancy. Operational redundancy is designed in a way that ensures that the availability requirements specified in the service level agreement are met. The functionality of the redundancy is checked at least annually by suitable tests and exercises (cf. BCM-04 – Verification, updating and testing of business continuity). PS-02 ¶ 1 {separate} The cloud service is provided from more than two locations that provide each other with redundancy. The locations are sufficiently far apart to achieve georedundancy. If two locations fail at the same time, at least one third location is still available to prevent a total service failure. The georedundancy is designed in a way that ensures that the availability requirements specified in the service level agreement are met. The functionality of the redundancy is checked at least annually by suitable tests and exercises (cf. BCM-04 – Verification, updating and testing of business continuity). PS-02 ¶ 2] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a change control program. CC ID 00886 | Establish/Maintain Documentation | Preventive | |
| Include version control in the change control program. CC ID 13119 [Version control procedures are set up to track dependencies of individual changes and to restore affected system components back to their previous state as a result of errors or identified vulnerabilities. DEV-08 ¶ 1 Version control procedures provide appropriate safeguards to ensure that the integrity and availability of cloud customer data is not compromised when system components are restored back to their previous state. DEV-08 ¶ 2] | Establish/Maintain Documentation | Preventive | |
| Integrate configuration management procedures into the change control program. CC ID 13646 [Access to system components for logging and monitoring in the Cloud Service Provider's area of responsibility is restricted to authorised users. Changes to the configuration are made in accordance with the applicable policies (cf. DEV-03). OPS-16 ¶ 1 Policies and instructions with technical and organisational safeguards for change management of system components of the cloud service within the scope of software deployment are documented, communicated and provided according to SP-01 with regard to the following aspects: DEV-03 ¶ 1 {security-related information} The information is detailed enough to allow cloud users to check the following aspects, insofar as they are applicable to the cloud service: Changes to security-relevant configuration parameters, error handling and logging mechanisms, user authentication, action authorisation, cryptography, and communication security. PSS-04 ¶ 2 Bullet 3] | Technical Security | Preventive | |
| Establish, implement, and maintain back-out procedures for each proposed change in a change request. CC ID 00373 [Version control procedures are set up to track dependencies of individual changes and to restore affected system components back to their previous state as a result of errors or identified vulnerabilities. DEV-08 ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Manage change requests. CC ID 00887 [In accordance with the applicable policies (cf. DEV-03), changes are subjected to a risk assessment with regard to potential effects on the system components concerned and are categorised and prioritised accordingly. DEV-05 ¶ 1 Policies and instructions with technical and organisational safeguards for change management of system components of the cloud service within the scope of software deployment are documented, communicated and provided according to SP-01 with regard to the following aspects: Criteria for risk assessment, categorisation and prioritisation of changes and related requirements for the type and scope of testing to be performed, and necessary approvals for the development/implementation of the change and releases for deployment in the production environment by authorised personnel or system components; DEV-03 ¶ 1 Bullet 1] | Business Processes | Preventive | |
| Document all change requests in change request forms. CC ID 06794 [Policies and instructions with technical and organisational safeguards for change management of system components of the cloud service within the scope of software deployment are documented, communicated and provided according to SP-01 with regard to the following aspects: Requirements for the documentation of changes in system, operational and user documentation; and DEV-03 ¶ 1 Bullet 5] | Establish/Maintain Documentation | Preventive | |
| Test proposed changes prior to their approval. CC ID 00548 [Changes to the cloud service are subject to appropriate testing during software development and deployment. DEV-06 ¶ 1 {change} The type and scope of the tests correspond to the risk assessment. The tests are carried out by appropriately qualified personnel of the Cloud Service Provider or by automated test procedures that comply with the state-of-the-art. Cloud customers are involved into the tests in accordance with the contractual requirements. DEV-06 ¶ 2] | Testing | Detective | |
| Examine all changes to ensure they correspond with the change request. CC ID 12345 [{change} The type and scope of the tests correspond to the risk assessment. The tests are carried out by appropriately qualified personnel of the Cloud Service Provider or by automated test procedures that comply with the state-of-the-art. Cloud customers are involved into the tests in accordance with the contractual requirements. DEV-06 ¶ 2] | Business Processes | Detective | |
| Approve tested change requests. CC ID 11783 [Authorised personnel or system components of the Cloud Service Provider approve changes to the cloud service based on defined criteria (e.g. test results and required approvals) before these are made available to the cloud customers in the production environment. DEV-09 ¶ 1 Policies and instructions with technical and organisational safeguards for change management of system components of the cloud service within the scope of software deployment are documented, communicated and provided according to SP-01 with regard to the following aspects: Criteria for risk assessment, categorisation and prioritisation of changes and related requirements for the type and scope of testing to be performed, and necessary approvals for the development/implementation of the change and releases for deployment in the production environment by authorised personnel or system components; DEV-03 ¶ 1 Bullet 1] | Data and Information Management | Preventive | |
| Validate the system before implementing approved changes. CC ID 01510 [The Cloud Service Provider validates the functionality of the authorisation mechanisms before new functions are made available to cloud users and in the event of changes to the authorisation mechanisms of existing functions (cf. DEV-06). The severity of identified vulnerabilities is assessed according to defined criteria based on industry standard metrics (e.g. Common Vulnerability Scoring System) and measures for timely resolution or mitigation are initiated. Vulnerabilities that have not been fixed are listed in the online register of known vulnerabilities (cf. PSS-02) PSS-09 ¶ 2] | Systems Design, Build, and Implementation | Preventive | |
| Disseminate and communicate proposed changes to all interested personnel and affected parties. CC ID 06807 [Policies and instructions with technical and organisational safeguards for change management of system components of the cloud service within the scope of software deployment are documented, communicated and provided according to SP-01 with regard to the following aspects: Requirements for the proper information of cloud customers about the type and scope of the change as well as the resulting obligations to cooperate in accordance with the contractual agreements; DEV-03 ¶ 1 Bullet 4 In accordance with the contractual agreements, meaningful information about the occasion, time, duration, type and scope of the change is submitted to authorised bodies of the cloud customer so that they can carry out their own risk assessment before the change is made available in the production environment. Regardless of the contractual agreements, this is done for changes that have the highest risk category based on their risk assessment. DEV-05 ¶ 2 {changes} Cloud customers are involved in the release according to contractual requirements. DEV-09 ¶ 2] | Behavior | Preventive | |
| Establish, implement, and maintain emergency change procedures. CC ID 00890 | Establish/Maintain Documentation | Preventive | |
| Perform emergency changes, as necessary. CC ID 12707 [Policies and instructions with technical and organisational safeguards for change management of system components of the cloud service within the scope of software deployment are documented, communicated and provided according to SP-01 with regard to the following aspects: Requirements for the implementation and documentation of emergency changes that must comply with the same level of security as normal changes. DEV-03 ¶ 1 Bullet 6] | Process or Activity | Preventive | |
| Back up emergency changes after the change has been performed. CC ID 12734 | Process or Activity | Preventive | |
| Log emergency changes after they have been performed. CC ID 12733 [Policies and instructions with technical and organisational safeguards for change management of system components of the cloud service within the scope of software deployment are documented, communicated and provided according to SP-01 with regard to the following aspects: Requirements for the implementation and documentation of emergency changes that must comply with the same level of security as normal changes. DEV-03 ¶ 1 Bullet 6] | Establish/Maintain Documentation | Preventive | |
| Perform risk assessments prior to approving change requests. CC ID 00888 [The risk assessment covers the following areas, insofar as these are applicable to the provision of the Cloud Service and are in the area of responsibility of the Cloud Service Provider: Development, testing and release of changes (cf. DEV-01); and OIS-04 ¶ 2 Bullet 2 In accordance with the applicable policies (cf. DEV-03), changes are subjected to a risk assessment with regard to potential effects on the system components concerned and are categorised and prioritised accordingly. DEV-05 ¶ 1 Policies and instructions with technical and organisational safeguards for change management of system components of the cloud service within the scope of software deployment are documented, communicated and provided according to SP-01 with regard to the following aspects: Criteria for risk assessment, categorisation and prioritisation of changes and related requirements for the type and scope of testing to be performed, and necessary approvals for the development/implementation of the change and releases for deployment in the production environment by authorised personnel or system components; DEV-03 ¶ 1 Bullet 1] | Testing | Preventive | |
| Conduct network certifications prior to approving change requests for networks. CC ID 13121 | Process or Activity | Detective | |
| Analyze mitigating controls for vulnerabilities in the network when certifying the network. CC ID 13126 | Investigate | Detective | |
| Collect data about the network environment when certifying the network. CC ID 13125 | Investigate | Detective | |
| Implement changes according to the change control program. CC ID 11776 [Policies and instructions with technical and organisational safeguards for change management of system components of the cloud service within the scope of software deployment are documented, communicated and provided according to SP-01 with regard to the following aspects: Criteria for risk assessment, categorisation and prioritisation of changes and related requirements for the type and scope of testing to be performed, and necessary approvals for the development/implementation of the change and releases for deployment in the production environment by authorised personnel or system components; DEV-03 ¶ 1 Bullet 1] | Business Processes | Preventive | |
| Provide audit trails for all approved changes. CC ID 13120 [{access rights management plan} System components and tools for source code management and software deployment that are used to make changes to system components of the cloud service in the production environment are subject to a role and rights concept according to IDM-01 and authorisation mechanisms. They must be configured in such a way that all changes are logged and can therefore be traced back to the individuals or system components executing them. DEV-07 ¶ 1 If cloud customers operate virtual machines or containers with the cloud service, the Cloud Service Provider must ensure the following aspects: If the Cloud Service Provider provides images of virtual machines or containers to the Cloud Customer, the Cloud Service Provider appropriately inform the Cloud Customer of the changes made to the previous version. PSS-11 ¶ 1 Bullet 2] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a transition strategy. CC ID 17049 [Exit strategies are aligned with operational continuity plans and include the following aspects: Definition of success criteria for the transition; and SSO-05 ¶ 2 Bullet 3] | Establish/Maintain Documentation | Preventive | |
| Include monitoring requirements in the transition strategy. CC ID 17290 [Exit strategies are aligned with operational continuity plans and include the following aspects: Definition of indicators for monitoring the performance of services, which should initiate the withdrawal from the service if the results are unacceptable. SSO-05 ¶ 2 Bullet 4] | Establish/Maintain Documentation | Preventive | |
| Include resources in the transition strategy. CC ID 17289 [Exit strategies are aligned with operational continuity plans and include the following aspects: Definition and allocation of roles, responsibilities and sufficient resources to perform the activities for a transition; SSO-05 ¶ 2 Bullet 2] | Establish/Maintain Documentation | Preventive | |
| Include time requirements in the transition strategy. CC ID 17288 [Exit strategies are aligned with operational continuity plans and include the following aspects: Analysis of the potential costs, impacts, resources and timing of the transition of a purchased service to an alternative service provider or supplier; SSO-05 ¶ 2 Bullet 1] | Establish/Maintain Documentation | Preventive | |
| Prioritize deploying patches according to vulnerability risk metrics. CC ID 06796 [Guidelines and instructions with technical and organisational measures are documented, communicated and provided in accordance with SP-01 to ensure the timely identification and addressing of vulnerabilities in the system components used to provide the cloud service. These guidelines and instructions contain specifications regarding the following aspects: Prioritisation and implementation of actions to promptly remediate or mitigate identified vulnerabilities based on severity and according to defined timelines; and OPS-18 ¶ 1 Bullet 3 Available security patches are applied depending on the severity of the vulnerabilities, as determined based on the latest version of the Common Vulnerability Scoring System (CVSS): OPS-22 ¶ 2 {critical vulnerability} Available security patches are applied depending on the severity of the vulnerabilities, as determined based on the latest version of the Common Vulnerability Scoring System (CVSS): Critical (CVSS = 9.0 – 10.0), 3 hours; OPS-22 ¶ 2 Bullet 1 {high severity vulnerability} Available security patches are applied depending on the severity of the vulnerabilities, as determined based on the latest version of the Common Vulnerability Scoring System (CVSS): High (CVSS = 7.0 – 8.9), 3 days; OPS-22 ¶ 2 Bullet 2 {average severity vulnerability} Available security patches are applied depending on the severity of the vulnerabilities, as determined based on the latest version of the Common Vulnerability Scoring System (CVSS): Average (CVSS = 4.0 – 6.9), 1 month; and OPS-22 ¶ 2 Bullet 3 {low severity vulnerability} Available security patches are applied depending on the severity of the vulnerabilities, as determined based on the latest version of the Common Vulnerability Scoring System (CVSS): Low (CVSS = 0.1 – 3.9), 3 months. OPS-22 ¶ 2 Bullet 4] | Business Processes | Preventive | |
| Establish, implement, and maintain a software release policy. CC ID 00893 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain traceability documentation. CC ID 16388 [{be up-to-date} The documentation of the logical structure of the network used to provision or operate the Cloud Service, is traceable and up-to-date, in order to avoid administrative errors during live operation and to ensure timely recovery in the event of malfunctions in accordance with contractual obligations. The documentation shows how the subnets are allocated and how the network is zoned and segmented. In addition, the geographical locations in which the cloud customers' data is stored are indicated. COS-07 ¶ 1] | Systems Design, Build, and Implementation | Preventive | |
| Establish, implement, and maintain a configuration change log. CC ID 08710 [{access rights management plan} System components and tools for source code management and software deployment that are used to make changes to system components of the cloud service in the production environment are subject to a role and rights concept according to IDM-01 and authorisation mechanisms. They must be configured in such a way that all changes are logged and can therefore be traced back to the individuals or system components executing them. DEV-07 ¶ 1] | Configuration | Detective | |
Physical and environmental protection | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Physical and environmental protection CC ID 00709 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a physical and environmental protection policy. CC ID 14030 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain physical and environmental protection procedures. CC ID 14061 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the physical and environmental protection procedures to interested personnel and affected parties. CC ID 14175 [Security requirements for premises and buildings related to the cloud service provided, are based on the security objectives of the information security policy, identified protection requirements for the cloud service and the assessment of risks to physical and environmental security. The security requirements are documented, communicated and provided in a policy or concept according to SP-01. PS-01 ¶ 1] | Communicate | Preventive | |
| Establish, implement, and maintain a physical security program. CC ID 11757 | Establish/Maintain Documentation | Preventive | |
| Monitor for evidence of when tampering indicators are being identified. CC ID 11905 | Monitor and Evaluate Occurrences | Detective | |
| Inspect for tampering, as necessary. CC ID 10640 [{power distributor} Protection of power supply and telecommunications lines against interruption, interference, damage and eavesdropping. The protection is checked regularly, but at least every two years, as well as in case of suspected manipulation by qualified personnel regarding the following aspects: Traces of violent attempts to open closed distributors; PS-06 ¶ 1(d) Bullet 1] | Monitor and Evaluate Occurrences | Detective | |
| Establish, implement, and maintain a facility physical security program. CC ID 00711 [The cloud service is provided from two locations that are redundant to each other. The locations meet the security requirements of the Cloud Service Provider (cf. PS-01 Security Concept) and are located in an adequate distance to each other to achieve operational redundancy. Operational redundancy is designed in a way that ensures that the availability requirements specified in the service level agreement are met. The functionality of the redundancy is checked at least annually by suitable tests and exercises (cf. BCM-04 – Verification, updating and testing of business continuity). PS-02 ¶ 1 The structural shell of premises and buildings related to the cloud service provided are physically solid and protected by adequate security measures that meet the security requirements of the Cloud Service Provider (cf. PS-01 Security Concept). PS-03 ¶ 1 Security requirements for premises and buildings related to the cloud service provided, are based on the security objectives of the information security policy, identified protection requirements for the cloud service and the assessment of risks to physical and environmental security. The security requirements are documented, communicated and provided in a policy or concept according to SP-01. PS-01 ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain opening procedures for businesses. CC ID 16671 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain closing procedures for businesses. CC ID 16670 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain a contract for accessing facilities that transmit, process, or store restricted data. CC ID 12050 | Establish/Maintain Documentation | Preventive | |
| Refrain from providing access to facilities that transmit, process, or store restricted data until the contract for accessing the facility is signed. CC ID 12311 | Behavior | Preventive | |
| Include identification cards or badges in the physical security program. CC ID 14818 | Establish/Maintain Documentation | Preventive | |
| Protect facilities from eavesdropping. CC ID 02222 [{power supply facility} Measures to prevent the failure of the technical supply facilities required for the operation of system components with which information from cloud customers is processed, are documented and set up in accordance with the security requirements of the Cloud Service Provider (cf. PS-01 Security Concept) with respect to the following aspects: Protection of power supply and telecommunications lines against interruption, interference, damage and eavesdropping. The protection is checked regularly, but at least every two years, as well as in case of suspected manipulation by qualified personnel regarding the following aspects: PS-06 ¶ 1(d)] | Physical and Environmental Protection | Preventive | |
| Inspect telephones for eavesdropping devices. CC ID 02223 | Physical and Environmental Protection | Detective | |
| Implement audio protection controls on telephone systems in controlled areas. CC ID 16455 | Technical Security | Preventive | |
| Establish, implement, and maintain security procedures for virtual meetings. CC ID 15581 | Establish/Maintain Documentation | Preventive | |
| Hold conferences requiring sensitive information discussions in spaces that have commensurate security. CC ID 11440 | Physical and Environmental Protection | Preventive | |
| Provide one-time meeting support for discussions involving Top Secret information. CC ID 11441 | Physical and Environmental Protection | Preventive | |
| Create security zones in facilities, as necessary. CC ID 16295 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain floor plans. CC ID 16419 | Establish/Maintain Documentation | Preventive | |
| Include network infrastructure and cabling infrastructure on the floor plan. CC ID 16420 | Establish/Maintain Documentation | Preventive | |
| Post floor plans of critical facilities in secure locations. CC ID 16138 | Communicate | Preventive | |
| Detect anomalies in physical barriers. CC ID 13533 | Investigate | Detective | |
| Maintain all security alarm systems. CC ID 11669 [{video surveillance camera} {burglar alarm} The security measures installed at the site include permanently present security personnel (at least 2 individuals), video surveillance and anti-burglary systems. PS-03 ¶ 5] | Physical and Environmental Protection | Preventive | |
| Identify and document physical access controls for all physical entry points. CC ID 01637 [At access points to premises and buildings related to the cloud service provided, physical access controls are set up in accordance with the Cloud Service Provider's security requirements (cf. PS-01 Security Concept) to prevent unauthorised access. PS-04 ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Control physical access to (and within) the facility. CC ID 01329 [Prevent unauthorised physical access and protect against theft, damage, loss and outage of operations. Section 5.5 Objective The operating parameters of the technical utilities (cf. PS-06) and the environmental parameters of the premises and buildings related to the cloud service provided are monitored and controlled in accordance with the security requirements of the Cloud Service Provider (cf. PS-01 Security Concept). When the permitted control range is exceeded, the responsible departments of the Cloud-Provider are automatically informed in order to promptly initiate the necessary measures for return to the control range. PS-07 ¶ 1] | Physical and Environmental Protection | Preventive | |
| Configure the access control system to grant access only during authorized working hours. CC ID 12325 | Physical and Environmental Protection | Preventive | |
| Log the individual's address in the facility access list. CC ID 16921 | Log Management | Preventive | |
| Log the contact information for the person authorizing access in the facility access list. CC ID 16920 | Log Management | Preventive | |
| Log the organization's name in the facility access list. CC ID 16919 | Log Management | Preventive | |
| Log the individual's name in the facility access list. CC ID 16918 | Log Management | Preventive | |
| Log the purpose in the facility access list. CC ID 16982 | Log Management | Preventive | |
| Log the level of access in the facility access list. CC ID 16975 | Log Management | Preventive | |
| Escort uncleared personnel who need to work in or access controlled access areas. CC ID 00747 [The requirements for the access control system are documented, communicated and provided in a policy or concept in accordance with SP-01 and include the following aspects: Visitors and external personnel are tracked individually by the access control during their work in the premises and buildings, identified as such (e.g. by visible wearing of a visitor pass) and supervised during their stay; and PS-04 ¶ 3 Bullet 5] | Monitor and Evaluate Occurrences | Preventive | |
| Disallow opting out of wearing or displaying identification cards or badges. CC ID 13030 | Human Resources Management | Preventive | |
| Implement physical identification processes. CC ID 13715 | Process or Activity | Preventive | |
| Refrain from using knowledge-based authentication for in-person identity verification. CC ID 13717 | Process or Activity | Preventive | |
| Issue photo identification badges to all employees. CC ID 12326 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain lost or damaged identification card procedures, as necessary. CC ID 14819 | Establish/Maintain Documentation | Preventive | |
| Document all lost badges in a lost badge list. CC ID 12448 | Establish/Maintain Documentation | Corrective | |
| Report lost badges, stolen badges, and broken badges to the Security Manager. CC ID 12334 | Physical and Environmental Protection | Preventive | |
| Direct each employee to be responsible for their identification card or badge. CC ID 12332 | Human Resources Management | Preventive | |
| Include name, date of entry, and validity period on disposable identification cards or badges. CC ID 12331 | Physical and Environmental Protection | Preventive | |
| Include error handling controls in identification issuance procedures. CC ID 13709 | Establish/Maintain Documentation | Preventive | |
| Include an appeal process in the identification issuance procedures. CC ID 15428 | Business Processes | Preventive | |
| Include information security in the identification issuance procedures. CC ID 15425 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain post-issuance update procedures for identification cards or badges. CC ID 15426 | Establish/Maintain Documentation | Preventive | |
| Enforce dual control for badge assignments. CC ID 12328 | Physical and Environmental Protection | Preventive | |
| Enforce dual control for accessing unassigned identification cards or badges. CC ID 12327 | Physical and Environmental Protection | Preventive | |
| Refrain from imprinting the company name or company logo on identification cards or badges. CC ID 12282 | Physical and Environmental Protection | Preventive | |
| Assign employees the responsibility for controlling their identification badges. CC ID 12333 | Human Resources Management | Preventive | |
| Charge a fee for replacement of identification cards or badges, as necessary. CC ID 17001 | Business Processes | Preventive | |
| Establish, implement, and maintain a door security standard. CC ID 06686 [The outer doors, windows and other construction elements exhibit an appropriate security level and withstand a burglary attempt for at least 10 minutes. PS-03 ¶ 3] | Establish/Maintain Documentation | Preventive | |
| Install doors so that exposed hinges are on the secured side. CC ID 06687 | Configuration | Preventive | |
| Install emergency doors to permit egress only. CC ID 06688 | Configuration | Preventive | |
| Install contact alarms on doors, as necessary. CC ID 06710 | Configuration | Preventive | |
| Restrict physical access mechanisms to authorized parties. CC ID 16924 | Process or Activity | Preventive | |
| Establish, implement, and maintain a window security standard. CC ID 06689 [The outer doors, windows and other construction elements exhibit an appropriate security level and withstand a burglary attempt for at least 10 minutes. PS-03 ¶ 3] | Establish/Maintain Documentation | Preventive | |
| Install contact alarms on openable windows, as necessary. CC ID 06690 | Configuration | Preventive | |
| Install glass break alarms on windows, as necessary. CC ID 06691 | Configuration | Preventive | |
| Use vandal resistant light fixtures for all security lighting. CC ID 16130 | Physical and Environmental Protection | Preventive | |
| Implement physical security standards for mainframe rooms or data centers. CC ID 00749 [The security requirements for data centres are based on criteria which comply with established rules of technology. They are suitable for addressing the following risks in accordance with the applicable legal and contractual requirements: Unauthorised access; PS-01 ¶ 2 Bullet 2] | Physical and Environmental Protection | Preventive | |
| Establish and maintain equipment security cages in a shared space environment. CC ID 06711 | Physical and Environmental Protection | Preventive | |
| Secure systems in lockable equipment cabinets, as necessary. CC ID 06716 | Physical and Environmental Protection | Preventive | |
| Lock all lockable equipment cabinets. CC ID 11673 | Physical and Environmental Protection | Detective | |
| Establish, Implement, and maintain a camera operating policy. CC ID 15456 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the camera installation policy to interested personnel and affected parties. CC ID 15461 | Communicate | Preventive | |
| Monitor for unauthorized physical access at physical entry points and physical exit points. CC ID 01638 [The operating parameters of the technical utilities (cf. PS-06) and the environmental parameters of the premises and buildings related to the cloud service provided are monitored and controlled in accordance with the security requirements of the Cloud Service Provider (cf. PS-01 Security Concept). When the permitted control range is exceeded, the responsible departments of the Cloud-Provider are automatically informed in order to promptly initiate the necessary measures for return to the control range. PS-07 ¶ 1] | Monitor and Evaluate Occurrences | Detective | |
| Establish and maintain a visitor log. CC ID 00715 [The requirements for the access control system are documented, communicated and provided in a policy or concept in accordance with SP-01 and include the following aspects: Visitors and external personnel are tracked individually by the access control during their work in the premises and buildings, identified as such (e.g. by visible wearing of a visitor pass) and supervised during their stay; and PS-04 ¶ 3 Bullet 5] | Log Management | Preventive | |
| Record the purpose of the visit in the visitor log. CC ID 16917 | Log Management | Preventive | |
| Record the date and time of entry in the visitor log. CC ID 13255 | Establish/Maintain Documentation | Preventive | |
| Record the date and time of departure in the visitor log. CC ID 16897 | Log Management | Preventive | |
| Record the type of identification used in the visitor log. CC ID 16916 | Log Management | Preventive | |
| Report anomalies in the visitor log to appropriate personnel. CC ID 14755 | Investigate | Detective | |
| Establish, implement, and maintain a physical access log. CC ID 12080 [The requirements for the access control system are documented, communicated and provided in a policy or concept in accordance with SP-01 and include the following aspects: Existence and nature of access logging that enables the Cloud Service Provider, in the sense of an effectiveness audit, to check whether only defined personnel have entered the premises and buildings related to the cloud service provided. PS-04 ¶ 3 Bullet 6] | Establish/Maintain Documentation | Preventive | |
| Log when the cabinet is accessed. CC ID 11674 | Log Management | Detective | |
| Log the exit of a staff member to a facility or designated rooms within the facility. CC ID 11675 | Monitor and Evaluate Occurrences | Preventive | |
| Include the requestor's name in the physical access log. CC ID 16922 | Log Management | Preventive | |
| Observe restricted areas with motion detectors or closed-circuit television systems. CC ID 01328 [{video surveillance camera} {burglar alarm} The security measures installed at the site include permanently present security personnel (at least 2 individuals), video surveillance and anti-burglary systems. PS-03 ¶ 5 {be insufficient} The security requirements for data centres are based on criteria which comply with established rules of technology. They are suitable for addressing the following risks in accordance with the applicable legal and contractual requirements: Insufficient surveillance; PS-01 ¶ 2 Bullet 3] | Monitor and Evaluate Occurrences | Detective | |
| Physically segregate business areas in accordance with organizational standards. CC ID 16718 | Physical and Environmental Protection | Preventive | |
| Employ security guards to provide physical security, as necessary. CC ID 06653 [{video surveillance camera} {burglar alarm} The security measures installed at the site include permanently present security personnel (at least 2 individuals), video surveillance and anti-burglary systems. PS-03 ¶ 5] | Establish Roles | Preventive | |
| Establish, implement, and maintain a facility wall standard. CC ID 06692 [{security requirement} The surrounding wall constructions as well as the locking mechanisms meet the associated requirements. PS-03 ¶ 4] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain physical security controls for distributed assets. CC ID 00718 [Prevent unauthorised physical access and protect against theft, damage, loss and outage of operations. Section 5.5 Objective] | Physical and Environmental Protection | Preventive | |
| Control the transiting and internal distribution or external distribution of assets. CC ID 00963 [{acceptable use policy} Policies and instructions for acceptable use and safe handling of assets are documented, communicated and provided in accordance with SP-01 and address the following aspects of the asset lifecycle as applicable to the asset: Physical delivery and transport; AM-02 ¶ 1 Bullet 10] | Records Management | Preventive | |
| Log the transiting, internal distribution, and external distribution of restricted storage media. CC ID 12321 | Log Management | Preventive | |
| Encrypt digital media containing sensitive information during transport outside controlled areas. CC ID 14258 | Technical Security | Preventive | |
| Use locked containers to transport non-digital media outside of controlled areas. CC ID 14286 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain a media protection policy. CC ID 14029 | Establish/Maintain Documentation | Preventive | |
| Include compliance requirements in the media protection policy. CC ID 14185 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the media protection policy. CC ID 14184 | Establish/Maintain Documentation | Preventive | |
| Include management commitment in the media protection policy. CC ID 14182 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the media protection policy. CC ID 14180 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the media protection policy. CC ID 14167 | Establish/Maintain Documentation | Preventive | |
| Include the purpose in the media protection policy. CC ID 14166 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the media protection policy to interested personnel and affected parties. CC ID 14165 | Communicate | Preventive | |
| Establish, implement, and maintain media protection procedures. CC ID 14062 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the media protection procedures to interested personnel and affected parties. CC ID 14186 | Communicate | Preventive | |
| Treat archive media as evidence. CC ID 00960 | Records Management | Preventive | |
| Protect distributed assets against theft. CC ID 06799 [Prevent unauthorised physical access and protect against theft, damage, loss and outage of operations. Section 5.5 Objective] | Physical and Environmental Protection | Preventive | |
| Include Information Technology assets in the asset removal policy. CC ID 13162 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain asset removal procedures or asset decommissioning procedures. CC ID 04540 | Establish/Maintain Documentation | Preventive | |
| Obtain management approval prior to decommissioning assets. CC ID 17269 [{acceptable use policy} Policies and instructions for acceptable use and safe handling of assets are documented, communicated and provided in accordance with SP-01 and address the following aspects of the asset lifecycle as applicable to the asset: Approval procedures for acquisition, commissioning, maintenance, decommissioning, and disposal by authorised personnel or system components; AM-02 ¶ 1 Bullet 1] | Business Processes | Preventive | |
| Maintain records of all system components entering and exiting the facility. CC ID 14304 | Log Management | Preventive | |
| Remote lock any distributed assets reported lost or stolen. CC ID 14008 | Technical Security | Corrective | |
| Remote wipe any distributed asset reported lost or stolen. CC ID 12197 | Process or Activity | Corrective | |
| Encrypt information stored on devices in publicly accessible areas. CC ID 16410 | Data and Information Management | Preventive | |
| Disseminate and communicate the end user computing device security guidelines to interested personnel and affected parties. CC ID 16925 | Communicate | Preventive | |
| Establish, implement, and maintain a mobile device management program. CC ID 15212 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a mobile device management policy. CC ID 15214 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the mobile device management policy to interested personnel and affected parties. CC ID 16998 | Communicate | Preventive | |
| Establish, implement, and maintain mobile device activation procedures. CC ID 16999 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain mobile device emergency sanitization procedures. CC ID 16454 | Establish/Maintain Documentation | Preventive | |
| Include a "Return to Sender" text file on mobile devices. CC ID 17075 | Process or Activity | Preventive | |
| Include usage restrictions for untrusted networks in the mobile device security guidelines. CC ID 17076 | Establish/Maintain Documentation | Preventive | |
| Require users to refrain from leaving mobile devices unattended. CC ID 16446 | Business Processes | Preventive | |
| Include the use of privacy filters in the mobile device security guidelines. CC ID 16452 | Physical and Environmental Protection | Preventive | |
| Wipe information from mobile devices after a predetermined number of unsuccessful logon attempts. CC ID 14242 | Data and Information Management | Preventive | |
| Remove dormant systems from the network, as necessary. CC ID 13727 | Process or Activity | Corrective | |
| Separate systems that transmit, process, or store restricted data from those that do not by deploying physical access controls. CC ID 00722 [{physical separation} In the case of IaaS/PaaS, the secure segregation is ensured by physically separated networks or by means of strongly encrypted VLANs. For the definition of strong encryption, the BSI Technical Guideline TR-02102 must be considered. COS-06 ¶ 2] | Physical and Environmental Protection | Preventive | |
| Require the return of all assets upon notification an individual is terminated. CC ID 06679 [Any assets handed over are provably returned upon termination of employment. AM-05 ¶ 2] | Behavior | Preventive | |
| Protect customer property under the care of the organization. CC ID 11685 | Physical and Environmental Protection | Preventive | |
| Provide storage media shelving capable of bearing all potential loads. CC ID 11400 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain an environmental control program. CC ID 00724 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain environmental control procedures. CC ID 12246 [The operating parameters of the technical utilities (cf. PS-06) and the environmental parameters of the premises and buildings related to the cloud service provided are monitored and controlled in accordance with the security requirements of the Cloud Service Provider (cf. PS-01 Security Concept). When the permitted control range is exceeded, the responsible departments of the Cloud-Provider are automatically informed in order to promptly initiate the necessary measures for return to the control range. PS-07 ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Protect power equipment and power cabling from damage or destruction. CC ID 01438 [{power supply facility} Measures to prevent the failure of the technical supply facilities required for the operation of system components with which information from cloud customers is processed, are documented and set up in accordance with the security requirements of the Cloud Service Provider (cf. PS-01 Security Concept) with respect to the following aspects: Protection of power supply and telecommunications lines against interruption, interference, damage and eavesdropping. The protection is checked regularly, but at least every two years, as well as in case of suspected manipulation by qualified personnel regarding the following aspects: PS-06 ¶ 1(d) {power supply facility} Measures to prevent the failure of the technical supply facilities required for the operation of system components with which information from cloud customers is processed, are documented and set up in accordance with the security requirements of the Cloud Service Provider (cf. PS-01 Security Concept) with respect to the following aspects: Protection of power supply and telecommunications lines against interruption, interference, damage and eavesdropping. The protection is checked regularly, but at least every two years, as well as in case of suspected manipulation by qualified personnel regarding the following aspects: PS-06 ¶ 1(d)] | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain facility maintenance procedures. CC ID 00710 | Establish/Maintain Documentation | Preventive | |
| Design the Information Technology facility with consideration given to natural disasters and man-made disasters. CC ID 00712 | Physical and Environmental Protection | Preventive | |
| Build critical facilities according to applicable building codes. CC ID 06366 [The structural shell of premises and buildings related to the cloud service provided are physically solid and protected by adequate security measures that meet the security requirements of the Cloud Service Provider (cf. PS-01 Security Concept). PS-03 ¶ 1 The outer doors, windows and other construction elements exhibit an appropriate security level and withstand a burglary attempt for at least 10 minutes. PS-03 ¶ 3] | Physical and Environmental Protection | Preventive | |
| Build critical facilities with fire resistant materials. CC ID 06365 | Physical and Environmental Protection | Preventive | |
| Build critical facilities with materials that limit electromagnetic interference. CC ID 16131 | Physical and Environmental Protection | Preventive | |
| Build critical facilities with water-resistant materials. CC ID 11679 | Physical and Environmental Protection | Preventive | |
| Define selection criteria for facility locations. CC ID 06351 [The cloud service is provided from two locations that are redundant to each other. The locations meet the security requirements of the Cloud Service Provider (cf. PS-01 Security Concept) and are located in an adequate distance to each other to achieve operational redundancy. Operational redundancy is designed in a way that ensures that the availability requirements specified in the service level agreement are met. The functionality of the redundancy is checked at least annually by suitable tests and exercises (cf. BCM-04 – Verification, updating and testing of business continuity). PS-02 ¶ 1 {physical security measure} {be the same} The Cloud Service Provider transfers data to be backed up to a remote location or transports these on backup media to a remote location. If the data backup is transmitted to the remote location via a network, the data backup or the transmission of the data takes place in an encrypted form that corresponds to the state-of-the-art. The distance to the main site is chosen after sufficient consideration of the factors recovery times and impact of disasters on both sites. The physical and environmental security measures at the remote site are at the same level as at the main site. OPS-09 ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Install and maintain smoke control systems. CC ID 17291 [Premises and buildings related to the cloud service provided are protected from fire and smoke by structural, technical and organisational measures that meet the security requirements of the Cloud Service Provider (cf. PS-01 Security Concept) and include the following aspects: PS-05 ¶ 1] | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain a fire prevention and fire suppression standard. CC ID 06695 | Establish/Maintain Documentation | Preventive | |
| Install and maintain fire protection equipment. CC ID 00728 [Premises and buildings related to the cloud service provided are protected from fire and smoke by structural, technical and organisational measures that meet the security requirements of the Cloud Service Provider (cf. PS-01 Security Concept) and include the following aspects: Early fire detection with automatic voltage release. The monitored areas are sufficiently fragmented to ensure that the prevention of the spread of incipient fires is proportionate to the maintenance of the availability of the cloud service provided; PS-05 ¶ 1(b) Bullet 1 {fire extinguishing system} Premises and buildings related to the cloud service provided are protected from fire and smoke by structural, technical and organisational measures that meet the security requirements of the Cloud Service Provider (cf. PS-01 Security Concept) and include the following aspects: Extinguishing system or oxygen reduction; and PS-05 ¶ 1(b) Bullet 2 The security requirements for data centres are based on criteria which comply with established rules of technology. They are suitable for addressing the following risks in accordance with the applicable legal and contractual requirements: Fire and smoke; PS-01 ¶ 2 Bullet 5] | Configuration | Preventive | |
| Install and maintain fire suppression systems. CC ID 00729 [The security requirements for data centres are based on criteria which comply with established rules of technology. They are suitable for addressing the following risks in accordance with the applicable legal and contractual requirements: Fire and smoke; PS-01 ¶ 2 Bullet 5 Premises and buildings related to the cloud service provided are protected from fire and smoke by structural, technical and organisational measures that meet the security requirements of the Cloud Service Provider (cf. PS-01 Security Concept) and include the following aspects: PS-05 ¶ 1] | Configuration | Preventive | |
| Install and maintain fire alarm systems. CC ID 17267 [Premises and buildings related to the cloud service provided are protected from fire and smoke by structural, technical and organisational measures that meet the security requirements of the Cloud Service Provider (cf. PS-01 Security Concept) and include the following aspects: Fire alarm system with reporting to the local fire department. PS-05 ¶ 1(b) Bullet 3] | Physical and Environmental Protection | Preventive | |
| Conduct periodic fire marshal inspections for all organizational facilities. CC ID 04888 [Premises and buildings related to the cloud service provided are protected from fire and smoke by structural, technical and organisational measures that meet the security requirements of the Cloud Service Provider (cf. PS-01 Security Concept) and include the following aspects: Regular fire protection inspections to check compliance with fire protection requirements; and PS-05 ¶ 1(c) Bullet 1] | Physical and Environmental Protection | Preventive | |
| Install and maintain fire-retarding divisions such as fire doors in accordance with applicable building codes. CC ID 06362 [Premises and buildings related to the cloud service provided are protected from fire and smoke by structural, technical and organisational measures that meet the security requirements of the Cloud Service Provider (cf. PS-01 Security Concept) and include the following aspects: Establishment of fire sections with a fire resistance duration of at least 90 minutes for all structural parts. PS-05 ¶ 1(a) ¶ 1] | Physical and Environmental Protection | Preventive | |
| Conduct fire drills, as necessary. CC ID 13985 [Premises and buildings related to the cloud service provided are protected from fire and smoke by structural, technical and organisational measures that meet the security requirements of the Cloud Service Provider (cf. PS-01 Security Concept) and include the following aspects: Regular fire protection exercises. PS-05 ¶ 1(c) Bullet 2] | Process or Activity | Preventive | |
| Employ environmental protections. CC ID 12570 | Process or Activity | Preventive | |
| Establish, implement, and maintain a Heating Ventilation and Air Conditioning system. CC ID 00727 [{be insufficient} The security requirements for data centres are based on criteria which comply with established rules of technology. They are suitable for addressing the following risks in accordance with the applicable legal and contractual requirements: Insufficient air-conditioning; PS-01 ¶ 2 Bullet 4 {operating parameter} {be the highest} The cooling supply is designed in such a way that the permissible operating and environmental parameters are also ensured on at least five consecutive days with the highest outside temperatures measured to date within a radius of at least 50 km around the locations of the premises and buildings, with a safety margin of 3 K (in relation to the outside temperature). The Cloud Service Provider has previously determined the highest outdoor temperatures measured to date (cf. PS-01 Security Concept). PS-06 ¶ 3] | Configuration | Preventive | |
| Install and maintain an environment control monitoring system. CC ID 06370 [The environmental parameters are monitored. When the permitted control range is exceeded, alarm messages are generated and forwarded to the Cloud Service Provider's subject matter experts. PS-05 ¶ 2 The operating parameters of the technical utilities (cf. PS-06) and the environmental parameters of the premises and buildings related to the cloud service provided are monitored and controlled in accordance with the security requirements of the Cloud Service Provider (cf. PS-01 Security Concept). When the permitted control range is exceeded, the responsible departments of the Cloud-Provider are automatically informed in order to promptly initiate the necessary measures for return to the control range. PS-07 ¶ 1 {cooling system} For a self-sufficient operation during a heat period, the highest outside temperatures measured to date within a radius of at least 50 km around the locations of the premises and buildings have been determined with a safety margin of 3 K. The security requirements stipulate that the permissible operating and environmental parameters of the cooling supply must also be observed on at least five consecutive days with these outside temperatures including the safety margin (cf. PS-06 Protection against failure of the supply facilities). PS-01 ¶ 7 {duration} If water is taken from a river for air conditioning, it is determined at which water levels and water temperatures the air conditioning can be maintained for how long. PS-01 ¶ 8] | Monitor and Evaluate Occurrences | Detective | |
| Alert appropriate personnel when an environmental control alert threshold is exceeded. CC ID 17268 [The environmental parameters are monitored. When the permitted control range is exceeded, alarm messages are generated and forwarded to the Cloud Service Provider's subject matter experts. PS-05 ¶ 2 The operating parameters of the technical utilities (cf. PS-06) and the environmental parameters of the premises and buildings related to the cloud service provided are monitored and controlled in accordance with the security requirements of the Cloud Service Provider (cf. PS-01 Security Concept). When the permitted control range is exceeded, the responsible departments of the Cloud-Provider are automatically informed in order to promptly initiate the necessary measures for return to the control range. PS-07 ¶ 1] | Communicate | Preventive | |
| Install and maintain dust collection and filtering as a part of the Heating Ventilation and Air Conditioning system. CC ID 06368 [The security requirements for data centres are based on criteria which comply with established rules of technology. They are suitable for addressing the following risks in accordance with the applicable legal and contractual requirements: Air ventilation and filtration. PS-01 ¶ 2 Bullet 8] | Configuration | Preventive | |
| Install and maintain backup Heating Ventilation and Air Conditioning equipment. CC ID 06369 [{power supply} Measures to prevent the failure of the technical supply facilities required for the operation of system components with which information from cloud customers is processed, are documented and set up in accordance with the security requirements of the Cloud Service Provider (cf. PS-01 Security Concept) with respect to the following aspects: Operational redundancy (N+1) in power and cooling supply PS-06 ¶ 1(a)] | Configuration | Preventive | |
| Protect physical assets from water damage. CC ID 00730 [The security requirements for data centres are based on criteria which comply with established rules of technology. They are suitable for addressing the following risks in accordance with the applicable legal and contractual requirements: Water; PS-01 ¶ 2 Bullet 6] | Configuration | Preventive | |
| Notify interested personnel and affected parties when water is detected in the vicinity of information systems. CC ID 14252 | Communicate | Preventive | |
Privacy protection for information and data | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Privacy protection for information and data CC ID 00008 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a personal data transparency program. CC ID 00375 | Data and Information Management | Preventive | |
| Establish, implement, and maintain opt-out notices. CC ID 13448 | Establish/Maintain Documentation | Preventive | |
| Include the data subject's right to opt out of personal data disclosure in the opt-out notice. CC ID 13463 [In the system description, the Cloud Service Provider provides comprehensible and transparent information on how investigation enquiries by government agencies for access to or disclosure of cloud customer data are handled. The information includes the following aspects: the ability of the affected cloud customers to object; and BC-05 ¶ 1 Bullet 3] | Establish/Maintain Documentation | Preventive | |
| Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. CC ID 00393 | Establish/Maintain Documentation | Preventive | |
| Provide the data subject with references to the appropriate safeguards used to protect the privacy of personal data. CC ID 12585 [In the system description, the Cloud Service Provider provides comprehensible and transparent information on how investigation enquiries by government agencies for access to or disclosure of cloud customer data are handled. The information includes the following aspects: whether the Cloud Service Provider has the ability to decrypt encrypted data of the cloud customers in case of such requests and how this ability for access or disclosure is used. BC-05 ¶ 1 Bullet 4] | Process or Activity | Preventive | |
| Provide the data subject with copies of the appropriate safeguards used to protect the privacy of personal data. CC ID 12608 | Process or Activity | Preventive | |
| Provide the data subject with the means of gaining access to personal data held by the organization. CC ID 00396 [The cloud customer is informed by the Cloud Service Provider whenever internal or external employees of the Cloud Service Provider read or write to the cloud customer's data processed, stored or transmitted in the cloud service or have accessed it without the prior consent of the cloud customer. The Information is provided whenever data of the cloud customer is/was not encrypted, the encryption is/was disabled for access or the contractual agreements do not explicitly exclude such information. The information contains the cause, time, duration, type and scope of the access. The information is sufficiently detailed to enable subject matter experts of the cloud customer to assess the risks of the access. The information is provided in accordance with the contractual agreements, or within 72 hours after the access. IDM-07 ¶ 1] | Data and Information Management | Preventive | |
| Refrain from requiring the data subject to create an account in order to submit a consumer request. CC ID 13780 | Business Processes | Preventive | |
| Provide the data subject with the data protection officer's contact information. CC ID 12573 | Business Processes | Preventive | |
| Notify the data subject of the right to data portability. CC ID 12603 | Process or Activity | Preventive | |
| Provide the data subject with information about the right to erasure. CC ID 12602 | Process or Activity | Preventive | |
| Provide the data subject with a description of the type of information held by the organization and a general account of its use. CC ID 00397 [Access to the data processed, stored or transmitted in the cloud service by internal or external employees of the Cloud Service Provider requires the prior consent of an authorised department of the cloud customer, provided that the cloud customer's data is not encrypted, encryption is disabled for access, or contractual agreements do not explicitly exclude such consent. For the consent, the cloud customer's department is provided with meaningful information about the cause, time, duration, type and scope of the access supporting assessing the risks associated with the access. IDM-07 ¶ 2] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a personal data accountability program. CC ID 13432 | Establish/Maintain Documentation | Preventive | |
| Require data controllers to be accountable for their actions. CC ID 00470 | Establish Roles | Preventive | |
| Notify the supervisory authority. CC ID 00472 | Behavior | Preventive | |
| Provide the supervisory authority with any information requested by the supervisory authority. CC ID 12606 [{be appropriate} Ensure appropriate handling of government investigation requests for legal review, information to cloud customers, and limitation of access to or disclosure of data. Section 5.16 Objective Access to or disclosure of cloud customer data in connection with government investigation requests is subject to the proviso that the Cloud Service Provider's legal assessment has shown that an applicable and valid legal basis exists and that the investigation request must be granted on that basis. INQ-03 ¶ 1] | Process or Activity | Preventive | |
| Notify the supervisory authority of the safeguards employed to protect the data subject's rights. CC ID 12605 [Investigation requests from government agencies are subjected to a legal assessment by subject matter experts of the Cloud Service Provider. The assessment determines whether the government agency has an applicable and legally valid legal basis and what further steps need to be taken. INQ-01 ¶ 1] | Communicate | Preventive | |
| Establish, implement, and maintain a personal data use limitation program. CC ID 13428 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a personal data use purpose specification. CC ID 00093 | Establish/Maintain Documentation | Preventive | |
| Dispose of media and restricted data in a timely manner. CC ID 00125 [Policies and instructions for the secure handling of metadata (usage data) are documented, communicated and provided according to SP-01 with regard to the following aspects: Immediate deletion if the purposes of the collection are fulfilled and further storage is no longer necessary; and OPS-11 ¶ 1 Bullet 5] | Data and Information Management | Preventive | |
| Refrain from destroying records being inspected or reviewed. CC ID 13015 | Records Management | Preventive | |
| Notify the data subject after their personal data is disposed, as necessary. CC ID 13502 | Communicate | Preventive | |
| Establish, implement, and maintain data access procedures. CC ID 00414 | Establish/Maintain Documentation | Preventive | |
| Provide individuals with information about disclosure of their personal data. CC ID 00417 [In the system description, the Cloud Service Provider provides comprehensible and transparent information on how investigation enquiries by government agencies for access to or disclosure of cloud customer data are handled. The information includes the following aspects: BC-05 ¶ 1] | Data and Information Management | Preventive | |
| Allow guardians and legal representatives access to personal data about the individual for whom they are guardians or legal representatives. CC ID 00418 | Data and Information Management | Preventive | |
| Notify third parties of data access requests that relates to the third party. CC ID 08703 [In the system description, the Cloud Service Provider provides comprehensible and transparent information on how investigation enquiries by government agencies for access to or disclosure of cloud customer data are handled. The information includes the following aspects: Procedures for informing and involving the affected cloud customers upon receipt of such enquiries; BC-05 ¶ 1 Bullet 2] | Establish/Maintain Documentation | Preventive | |
| Allow affected third parties to consent or object to a data access request. CC ID 08704 | Process or Activity | Preventive | |
| Establish, implement, and maintain restricted data use limitation procedures. CC ID 00128 | Establish/Maintain Documentation | Preventive | |
| Process restricted data lawfully and carefully. CC ID 00086 | Establish Roles | Preventive | |
| Implement technical controls that limit processing restricted data for specific purposes. CC ID 12646 [Policies and instructions for the secure handling of metadata (usage data) are documented, communicated and provided according to SP-01 with regard to the following aspects: Metadata is collected and used solely for billing, incident management and security incident management purposes; OPS-11 ¶ 1 Bullet 1 {refrain from using} Policies and instructions for the secure handling of metadata (usage data) are documented, communicated and provided according to SP-01 with regard to the following aspects: No commercial use; OPS-11 ¶ 1 Bullet 3] | Technical Security | Preventive | |
| Process personal data after the data subject has granted explicit consent. CC ID 00180 [Access to the data processed, stored or transmitted in the cloud service by internal or external employees of the Cloud Service Provider requires the prior consent of an authorised department of the cloud customer, provided that the cloud customer's data is not encrypted, encryption is disabled for access, or contractual agreements do not explicitly exclude such consent. For the consent, the cloud customer's department is provided with meaningful information about the cause, time, duration, type and scope of the access supporting assessing the risks associated with the access. IDM-07 ¶ 2] | Data and Information Management | Preventive | |
| Establish, implement, and maintain restricted data retention procedures. CC ID 00167 [Policies and instructions for the secure handling of metadata (usage data) are documented, communicated and provided according to SP-01 with regard to the following aspects: Storage for a fixed period reasonably related to the purposes of the collection; OPS-11 ¶ 1 Bullet 4] | Establish/Maintain Documentation | Preventive | |
| Limit the redisclosure and reuse of restricted data. CC ID 00168 [The Cloud Service Provider's procedures establishing access to or disclosing data of cloud customers in the context of investigation requests from governmental agencies ensure that the agencies only gain access to or insight into the data that is the subject of the investigation request. INQ-04 ¶ 1] | Data and Information Management | Preventive | |
| Refrain from redisclosing or reusing restricted data. CC ID 00169 | Data and Information Management | Preventive | |
| Document the redisclosing restricted data exceptions. CC ID 00170 | Establish/Maintain Documentation | Preventive | |
| Redisclose restricted data when the data subject consents. CC ID 00171 | Data and Information Management | Preventive | |
| Redisclose restricted data when it is for criminal law enforcement. CC ID 00172 | Data and Information Management | Preventive | |
| Redisclose restricted data in order to protect public revenue. CC ID 00173 | Data and Information Management | Preventive | |
| Redisclose restricted data in order to assist a Telecommunications Ombudsman. CC ID 00174 | Data and Information Management | Preventive | |
| Redisclose restricted data in order to prevent a life-threatening emergency. CC ID 00175 | Data and Information Management | Preventive | |
| Redisclose restricted data when it deals with installing, maintaining, operating, or providing access to a Public Telecommunications Network or a telecommunication facility. CC ID 00176 | Data and Information Management | Preventive | |
| Redisclose restricted data in order to preserve human life at sea. CC ID 00177 | Data and Information Management | Preventive | |
| Establish, implement, and maintain data disclosure procedures. CC ID 00133 [The type and scope of the information provided will be based on the needs of subject matter experts of the cloud customers who set information security requirements, implement them or verify the implementation (e.g. IT, Compliance, Internal Audit). The information in the guidelines and recommendations for the secure use of the cloud service address the following aspects, where applicable to the cloud service: PSS-01 ¶ 2] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the disclosure requirements to interested personnel and affected parties. CC ID 16901 | Communicate | Preventive | |
| Identify any adverse effects the disclosure of personal data will have on the data subject. CC ID 15298 | Data and Information Management | Preventive | |
| Review personal data disclosure requests. CC ID 07129 | Data and Information Management | Preventive | |
| Notify the data subject of the disclosure purpose. CC ID 15268 | Communicate | Preventive | |
| Establish, implement, and maintain data request denial procedures. CC ID 00434 | Establish/Maintain Documentation | Preventive | |
| Include frivolous requests or vexatious requests as a reason for denial in the personal data request denial procedures. CC ID 00435 | Data and Information Management | Preventive | |
| Include when the required information is unavailable as a reason for denial in the personal data request denial procedures. CC ID 00436 | Data and Information Management | Preventive | |
| Include when the disclosure of personal data constitutes contempt of court or contempt of House of Representatives as a reason for denial in the personal data request denial procedures. CC ID 00437 | Data and Information Management | Preventive | |
| Include disclosing personal data that would identify suppliers or breaches an express promise of privacy or implied promise of privacy as a reason for denial in the personal data request denial procedures. CC ID 00438 | Data and Information Management | Preventive | |
| Include disclosing personal data that would compromise National Security as a reason for denial in the personal data request denial procedures. CC ID 00439 | Data and Information Management | Preventive | |
| Include information that is protected by attorney-client privilege as a reason for denial in the personal data request denial procedures. CC ID 00440 | Data and Information Management | Preventive | |
| Include disclosing personal data that would reveal trade secrets, commercial information, or harmful financial information as a reason for denial in the personal data request denial procedures. CC ID 00441 | Data and Information Management | Preventive | |
| Include disclosing personal data that would threaten an individual's life or an individual's security as a reason for denial in the personal data request denial procedures. CC ID 00442 | Data and Information Management | Preventive | |
| Include disclosing personal data that would have an unreasonable impact on another individual's privacy as a reason for denial in the personal data request denial procedures. CC ID 00443 | Data and Information Management | Preventive | |
| Include disclosing personal data that would threaten facilities, property, transport, or communication systems as a reason for denial in the personal data request denial procedures. CC ID 08702 | Process or Activity | Preventive | |
| Include responding to access requests after the time limit as a reason for denial in the personal data request denial procedures. CC ID 13600 | Data and Information Management | Preventive | |
| Include information that was generated from a formal dispute as a reason for denial in the personal data request denial procedures. CC ID 00444 | Data and Information Management | Preventive | |
| Include personal data that is used solely for scientific research, scholarly research, statistical research, library purposes, museum purposes, or archival purposes as a reason for denial in the personal data request denial procedures. CC ID 00445 | Data and Information Management | Preventive | |
| Include personal data that is for the state's economic interest as a reason for denial in the personal data request denial procedures. CC ID 00446 | Data and Information Management | Detective | |
| Include personal data that is for protecting the civil rights or other's freedoms as a reason for denial in the personal data request denial procedures. CC ID 00447 | Data and Information Management | Preventive | |
| Include disclosing personal data that constitutes a state secret as a reason for denial in the personal data request denial procedures. CC ID 00448 | Data and Information Management | Preventive | |
| Include disclosing personal data that would result in interference with the operation of public functions as a reason for denial in the personal data request denial procedures. CC ID 00449 | Data and Information Management | Preventive | |
| Include disclosing personal data that would interrupt criminal investigation and surveillance or other legal purposes as a reason for denial in the personal data request denial procedures. CC ID 00450 | Data and Information Management | Preventive | |
| Include when a country's laws prevent disclosure as a reason for denial in the personal data request denial procedures. CC ID 00451 | Data and Information Management | Preventive | |
| Include disclosing personal data that would interfere with grievance proceeding or employee security investigations as a reason for denial in the personal data request denial procedures. CC ID 06873 | Data and Information Management | Preventive | |
| Include disclosing personal data that would interfere with commercial acquisitions or reorganizations as a reason for denial in the personal data request denial procedures. CC ID 06874 | Data and Information Management | Preventive | |
| Include if the cost or burden of disclosing the personal data is disproportionate as a reason for denial in the personal data request denial procedures. CC ID 06875 | Data and Information Management | Preventive | |
| Notify interested personnel and affected parties of the reasons the data access request was refused. CC ID 00453 | Data and Information Management | Preventive | |
| Notify the individual of the organization's legal rights to refuse the personal data access request, as necessary. CC ID 13509 [In the system description, the Cloud Service Provider provides comprehensible and transparent information on how investigation enquiries by government agencies for access to or disclosure of cloud customer data are handled. The information includes the following aspects: Procedures to verify the legal basis of such enquiries; BC-05 ¶ 1 Bullet 1] | Communicate | Preventive | |
| Notify individuals of their right to challenge a refusal to a data access request. CC ID 00454 | Data and Information Management | Preventive | |
| Include if the record would constitute an action for breach of a duty of confidence as a reason for denial in the personal data request denial procedures. CC ID 08700 | Process or Activity | Preventive | |
| Disseminate and communicate personal data to the individual that it relates to. CC ID 00428 [The cloud customer is informed by the Cloud Service Provider whenever internal or external employees of the Cloud Service Provider read or write to the cloud customer's data processed, stored or transmitted in the cloud service or have accessed it without the prior consent of the cloud customer. The Information is provided whenever data of the cloud customer is/was not encrypted, the encryption is/was disabled for access or the contractual agreements do not explicitly exclude such information. The information contains the cause, time, duration, type and scope of the access. The information is sufficiently detailed to enable subject matter experts of the cloud customer to assess the risks of the access. The information is provided in accordance with the contractual agreements, or within 72 hours after the access. IDM-07 ¶ 1] | Data and Information Management | Preventive | |
| Provide personal data to an individual after the individual's identity has been confirmed. CC ID 06876 | Data and Information Management | Preventive | |
| Notify that data subject of any exclusions to requested personal data. CC ID 15271 | Communicate | Preventive | |
| Provide data or records in a reasonable time frame. CC ID 00429 | Data and Information Management | Preventive | |
| Notify individuals of the new time limit for responding to an access request in a notice of extension. CC ID 13599 | Communicate | Preventive | |
| Extend the time limit for providing personal data in order to convert it to an alternative format. CC ID 13591 | Data and Information Management | Preventive | |
| Extend the time limit for providing personal data if the time is impracticable to respond to the access request. CC ID 13590 | Data and Information Management | Preventive | |
| Extend the time limit for providing data if it would unreasonably interfere with the organization's activities. CC ID 13589 | Data and Information Management | Preventive | |
| Provide data at a cost that is not excessive. CC ID 00430 | Data and Information Management | Preventive | |
| Provide records or data in a reasonable manner. CC ID 00431 | Data and Information Management | Preventive | |
| Provide personal data in a form that is intelligible. CC ID 00432 | Data and Information Management | Preventive | |
| Provide restricted data that would threaten the life or security of another individual after that information has been redacted. CC ID 13604 | Data and Information Management | Preventive | |
| Provide restricted data that would reveal confidential commercial information after that information has been redacted. CC ID 13602 | Data and Information Management | Preventive | |
| Remove data pertaining to third parties before giving the requestor access to the information. CC ID 13601 | Data and Information Management | Preventive | |
| Document that a data search was conducted in case the requested data cannot be found. CC ID 06953 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a data handling program. CC ID 13427 [Policies and instructions for the secure handling of metadata (usage data) are documented, communicated and provided according to SP-01 with regard to the following aspects: OPS-11 ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain data handling policies. CC ID 00353 [{be appropriate} Ensure appropriate handling of government investigation requests for legal review, information to cloud customers, and limitation of access to or disclosure of data. Section 5.16 Objective] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain data and information confidentiality policies. CC ID 00361 | Establish/Maintain Documentation | Preventive | |
| Prohibit personal data from being sent by e-mail or instant messaging. CC ID 00565 | Data and Information Management | Preventive | |
| Protect electronic messaging information. CC ID 12022 | Technical Security | Preventive | |
| Establish, implement, and maintain record structures to support information confidentiality. CC ID 00360 [{be appropriate} Ensure appropriate handling of government investigation requests for legal review, information to cloud customers, and limitation of access to or disclosure of data. Section 5.16 Objective If the Cloud Service offers functions for software-defined networking (SDN), the confidentiality of the data of the cloud user is ensured by suitable SDN procedures. PSS-10 ¶ 1] | Data and Information Management | Preventive | |
| Include passwords, Personal Identification Numbers, and card security codes in the personal data definition. CC ID 04699 | Configuration | Preventive | |
| Refrain from storing data elements containing payment card full magnetic stripe data. CC ID 04757 | Testing | Detective | |
| Store payment card data in secure chips, if possible. CC ID 13065 | Configuration | Preventive | |
| Refrain from storing data elements containing sensitive authentication data after authorization is approved. CC ID 04758 | Configuration | Preventive | |
| Render unrecoverable sensitive authentication data after authorization is approved. CC ID 11952 | Technical Security | Preventive | |
| Automate the disposition process for records that contain "do not store" data or "delete after transaction process" data. CC ID 06083 | Data and Information Management | Preventive | |
| Log the disclosure of personal data. CC ID 06628 | Log Management | Preventive | |
| Log the modification of personal data. CC ID 11844 | Log Management | Preventive | |
| Encrypt, truncate, or tokenize data fields, as necessary. CC ID 06850 | Technical Security | Preventive | |
| Implement security measures to protect personal data. CC ID 13606 | Technical Security | Preventive | |
| Implement physical controls to protect personal data. CC ID 00355 | Testing | Preventive | |
| Limit data leakage. CC ID 00356 | Data and Information Management | Preventive | |
| Conduct personal data risk assessments. CC ID 00357 | Testing | Detective | |
| Identify potential red flags to alert the organization before a data leakage has occurred. CC ID 04654 | Monitor and Evaluate Occurrences | Preventive | |
| Establish, implement, and maintain Consumer Reporting Agency notification procedures. CC ID 04851 | Business Processes | Preventive | |
| Establish, implement, and maintain suspicious document procedures. CC ID 04852 | Establish/Maintain Documentation | Detective | |
| Establish, implement, and maintain suspicious personal data procedures. CC ID 04853 | Data and Information Management | Detective | |
| Compare certain personal data such as name, date of birth, address, driver's license, or other identification against personal data on file for the applicant. CC ID 04855 | Data and Information Management | Detective | |
| Establish, implement, and maintain suspicious user account activity procedures. CC ID 04854 | Monitor and Evaluate Occurrences | Detective | |
| Perform an identity check prior to approving an account change request. CC ID 13670 | Investigate | Detective | |
| Use the contact information on file to contact the individual identified in an account change request. CC ID 04857 | Behavior | Detective | |
| Match consumer reports with current accounts on file to ensure account misuse or information misuse has not occurred. CC ID 04873 | Data and Information Management | Detective | |
| Log account access dates and report when dormant accounts suddenly exhibit unusual activity. CC ID 04874 | Log Management | Detective | |
| Report fraudulent account activity, unauthorized transactions, or discrepancies with current accounts. CC ID 04875 | Monitor and Evaluate Occurrences | Corrective | |
| Log dates for account name changes or address changes. CC ID 04876 | Log Management | Detective | |
| Review accounts that are changed for additional user requests. CC ID 11846 | Monitor and Evaluate Occurrences | Detective | |
| Send change notices for change of address requests to the old address and the new address. CC ID 04877 | Data and Information Management | Detective | |
| Acquire enough insurance to cover the liability for damages due to data leakage. CC ID 06408 | Acquisition/Sale of Assets or Services | Preventive | |
| Search the Internet for evidence of data leakage. CC ID 10419 | Process or Activity | Detective | |
| Alert appropriate personnel when data leakage is detected. CC ID 14715 | Process or Activity | Preventive | |
| Review monitored websites for data leakage. CC ID 10593 | Monitor and Evaluate Occurrences | Detective | |
| Take appropriate action when a data leakage is discovered. CC ID 14716 | Process or Activity | Corrective | |
| Include text about data ownership in the data handling policy. CC ID 15720 | Data and Information Management | Preventive | |
| Establish, implement, and maintain a telephone systems usage policy. CC ID 15170 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain call metadata controls. CC ID 04790 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain de-identifying and re-identifying procedures. CC ID 07126 [{not be possible} If no clear limitation of the data is possible, the Cloud Service Provider anonymises or pseudonymises the data so that government agencies can only assign it to those cloud customers who are subject of the investigation request. INQ-04 ¶ 2] | Data and Information Management | Preventive | |
| Use de-identifying code and re-identifying code that is not derived from or related to information about the data subject. CC ID 07127 | Data and Information Management | Preventive | |
| Store de-identifying code and re-identifying code separately. CC ID 16535 | Data and Information Management | Preventive | |
| Prevent the disclosure of de-identifying code and re-identifying code. CC ID 07128 | Data and Information Management | Preventive | |
| Disseminate and communicate the data handling policy to all interested personnel and affected parties. CC ID 15465 | Communicate | Preventive | |
| Establish, implement, and maintain data handling procedures. CC ID 11756 [The requirements for the logging and monitoring of events and for the secure handling of metadata are implemented by technically supported procedures with regard to the following restrictions: OPS-12 ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Define personal data that falls under breach notification rules. CC ID 00800 | Establish/Maintain Documentation | Preventive | |
| Include data elements that contain an individual's name combined with account numbers or other identifying information as personal data that falls under the breach notification rules. CC ID 04662 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's legal surname prior to marriage as personal data that falls under the breach notification rules. CC ID 04669 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's date of birth as personal data that falls under the breach notification rules. CC ID 04771 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's address as personal data that falls under the breach notification rules. CC ID 04671 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's telephone number as personal data that falls under the breach notification rules. CC ID 04672 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's fingerprints as personal data that falls under the breach notification rules. CC ID 04670 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's Social Security Number or Personal Identification Number as personal data that falls under the breach notification rules. CC ID 04656 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's driver's license number or an individual's state identification card number as personal data that falls under the breach notification rules. CC ID 04657 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's passport number as personal data that falls under the breach notification rules. CC ID 04774 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's Alien Registration Number as personal data that falls under the breach notification rules. CC ID 04775 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's Taxpayer Identification Number as personal data that falls under the breach notification rules. CC ID 04764 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's financial account number as personal data that falls under the breach notification rules. CC ID 04658 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's financial account number with associated password or password hint as personal data that falls under the breach notification rules. CC ID 04660 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's electronic identification name or number as personal data that falls under the breach notification rules. CC ID 04663 | Data and Information Management | Preventive | |
| Include data elements that contain electronic signatures as personal data that falls under the breach notification rules. CC ID 04666 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's biometric data as personal data that falls under the breach notification rules. CC ID 04667 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's account number, password, or password hint as personal data that falls under the breach notification rules. CC ID 04668 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's payment card information as personal data that falls under the breach notification rules. CC ID 04752 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's credit card number or an individual's debit card number as personal data that falls under the breach notification rules. CC ID 04659 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's payment card service code as personal data that falls under the breach notification rules. CC ID 04754 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's payment card expiration date as personal data that falls under the breach notification rules. CC ID 04756 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's payment card full magnetic stripe data as personal data that falls under the breach notification rules. CC ID 04759 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's payment card security codes (Card Authentication Value 2/Card Validation Code Value 2/Card Verification Value 2/Card Identification Number) as personal data that falls under the breach notification rules. CC ID 04760 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's payment card associated password or password hint as personal data that falls under the breach notification rules. CC ID 04661 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's Individually Identifiable Health Information as personal data that falls under the breach notification rules. CC ID 04673 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's medical history as personal data that falls under the breach notification rules. CC ID 04674 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's medical treatment as personal data that falls under the breach notification rules. CC ID 04675 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's medical diagnosis as personal data that falls under the breach notification rules. CC ID 04676 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's mental condition or physical condition as personal data that falls under the breach notification rules. CC ID 04682 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's health insurance information as personal data that falls under the breach notification rules. CC ID 04681 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's health insurance policy number as personal data that falls under the breach notification rules. CC ID 04683 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's health insurance application and health insurance claims history (including appeals) as personal data that falls under the breach notification rules. CC ID 04684 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's employment information as personal data that falls under the breach notification rules. CC ID 04772 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's Employee Identification Number as personal data that falls under the breach notification rules. CC ID 04773 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's place of employment as personal data that falls under the breach notification rules. CC ID 04788 | Data and Information Management | Preventive | |
| Define an out of scope privacy breach. CC ID 04677 | Establish/Maintain Documentation | Preventive | |
| Include personal data that is publicly available information as an out of scope privacy breach. CC ID 04678 | Business Processes | Preventive | |
| Include personal data that is encrypted or redacted as an out of scope privacy breach. CC ID 04679 | Monitor and Evaluate Occurrences | Preventive | |
| Include cryptographic keys not being accessed during a privacy breach as an out of scope privacy breach. CC ID 04761 | Monitor and Evaluate Occurrences | Preventive | |
| Include any personal data that is on an encrypted mobile device as an out of scope privacy breach, if the encryption keys were not accessed and the mobile device was recovered. CC ID 04762 | Monitor and Evaluate Occurrences | Preventive | |
| Conduct internal data processing audits. CC ID 00374 | Testing | Detective | |
| Disseminate and communicate the data handling procedures to all interested personnel and affected parties. CC ID 15466 [Policies and instructions for the secure handling of metadata (usage data) are documented, communicated and provided according to SP-01 with regard to the following aspects: Exclusively anonymous metadata to deploy and enhance the cloud service so that no conclusions can be drawn about the cloud customer or user; OPS-11 ¶ 1 Bullet 2] | Communicate | Preventive | |
| Develop remedies and sanctions for privacy policy violations. CC ID 00474 | Data and Information Management | Preventive | |
| Investigate privacy rights violation complaints. CC ID 00480 | Behavior | Detective | |
| Notify respondents after a privacy rights violation complaint investigation begins. CC ID 00491 [{investigation request} The Cloud Service Provider informs the affected Cloud Customer(s) without undue delay, unless the applicable legal basis on which the government agency is based prohibits this or there are clear indications of illegal actions in connection with the use of the Cloud Service. INQ-02 ¶ 1] | Behavior | Detective | |
| Include the allegations against the organization in the notice of investigation. CC ID 13031 | Establish/Maintain Documentation | Preventive | |
| Make appropriate inquiries and obtain appropriate information regarding privacy rights violation complaints. CC ID 00493 [Investigation requests from government agencies are subjected to a legal assessment by subject matter experts of the Cloud Service Provider. The assessment determines whether the government agency has an applicable and legally valid legal basis and what further steps need to be taken. INQ-01 ¶ 1 Investigation requests from government agencies are subjected to a legal assessment by subject matter experts of the Cloud Service Provider. The assessment determines whether the government agency has an applicable and legally valid legal basis and what further steps need to be taken. INQ-01 ¶ 1] | Behavior | Detective | |
| Establish, implement, and maintain a Customer Information Management program. CC ID 00084 | Data and Information Management | Preventive | |
| Establish, implement, and maintain customer data authentication procedures. CC ID 13187 [The Cloud Service Provider has established procedures and technical measures for strong encryption and authentication for the transmission of all data. CRY-02 ¶ 2 The Cloud Service Provider has established procedures and technical measures for strong encryption and authentication for the transmission of data of cloud customers over public networks. CRY-02 ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Check the accuracy of restricted data. CC ID 00088 | Data and Information Management | Preventive | |
| Record restricted data correctly. CC ID 00089 | Testing | Detective | |
| Check the data accuracy of new accounts. CC ID 04859 | Data and Information Management | Preventive | |
| Use documents for identification that do not appear altered or forged. CC ID 04860 | Establish/Maintain Documentation | Preventive | |
| Compare the photograph on the customer's identification card or badge with the customer's physical appearance. CC ID 04861 | Testing | Detective | |
| Compare the information on the customer's identification card or badge with the information used to open an account. CC ID 04862 | Data and Information Management | Preventive | |
| Refrain from using applications that appear altered, reassembled, or forged. CC ID 04863 | Data and Information Management | Preventive | |
| Correlate the applicant's social security number with their date of birth. CC ID 04864 | Data and Information Management | Preventive | |
| Compare the applicant's social security number against existing accounts or different applications. CC ID 04867 | Data and Information Management | Preventive | |
| Compare the applicant's personal data against known fraudulent activities. CC ID 04865 | Data and Information Management | Preventive | |
| Compare the applicant's address against known suspicious addresses. CC ID 04866 | Data and Information Management | Preventive | |
| Compare the applicant's telephone number or address against records on file for potential matches. CC ID 04868 | Data and Information Management | Preventive | |
| Provide additional personal data when the application is incomplete. CC ID 04869 | Data and Information Management | Preventive | |
| Check the consistency of the applicant's personal data against personal data already on file. CC ID 04870 | Data and Information Management | Detective | |
| Ask the applicant challenge questions and verify they respond correctly. CC ID 04871 | Behavior | Detective | |
| Compare new account information with fraudulent account activity notifications or identity theft notifications. CC ID 04872 | Data and Information Management | Detective | |
| Interview appropriate parties to validate consumer information. CC ID 16902 | Process or Activity | Preventive | |
| Authenticate a user's identity prior to transferring funds requested by a customer. CC ID 12972 | Business Processes | Detective | |
| Validate a consumer's identity in accordance with applicable requirements. CC ID 16899 | Business Processes | Preventive | |
| Use contact methods specified by the consumer for identity verification. CC ID 16878 | Process or Activity | Preventive | |
Records management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Records management CC ID 00902 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a data retention program. CC ID 00906 [Policies and instructions for data backup and recovery are documented, communicated and provided in accordance with SP-01 regarding the following aspects. The extent and frequency of data backups and the duration of data retention are consistent with the contractual agreements with the cloud customers and the Cloud Service Provider's operational continuity requirements for Recovery Time Objective (RTO) and Recovery Point Objective (RPO); OPS-06 ¶ 1 Bullet 1] | Establish/Maintain Documentation | Detective | |
| Store records and data in accordance with organizational standards. CC ID 16439 | Data and Information Management | Preventive | |
| Remove dormant data from systems, as necessary. CC ID 13726 | Process or Activity | Preventive | |
| Store personal data that is retained for long periods after use on a separate server or media. CC ID 12314 | Data and Information Management | Preventive | |
| Determine how long to keep records and logs before disposing them. CC ID 11661 [The requirements for the logging and monitoring of events and for the secure handling of metadata are implemented by technically supported procedures with regard to the following restrictions: Retention for the specified period; and OPS-12 ¶ 1 Bullet 2] | Process or Activity | Preventive | |
| Retain records in accordance with applicable requirements. CC ID 00968 [{appropriate format} The Cloud Service Provider retains the generated log data and keeps these in an appropriate, unchangeable and aggregated form, regardless of the source of such data, so that a central, authorised evaluation of the data is possible. Log data is deleted if it is no longer required for the purpose for which they were collected. OPS-14 ¶ 1 The Cloud Service Provider has established policies and instructions that govern the logging and monitoring of events on system components within its area of responsibility. These policies and instructions are documented, communicated and provided according to SP-01 with respect to the following aspects: Information regarding the purpose and retention period of the logs; OPS-10 ¶ 1 Bullet 3] | Records Management | Preventive | |
| Define each system's disposition requirements for records and logs. CC ID 11651 [{appropriate format} The Cloud Service Provider retains the generated log data and keeps these in an appropriate, unchangeable and aggregated form, regardless of the source of such data, so that a central, authorised evaluation of the data is possible. Log data is deleted if it is no longer required for the purpose for which they were collected. OPS-14 ¶ 1] | Process or Activity | Preventive | |
| Establish, implement, and maintain records disposition procedures. CC ID 00971 [The requirements for the logging and monitoring of events and for the secure handling of metadata are implemented by technically supported procedures with regard to the following restrictions: Deletion when further retention is no longer necessary for the purpose of collection. OPS-12 ¶ 1 Bullet 3] | Establish/Maintain Documentation | Preventive | |
| Require authorized individuals be present to witness records disposition. CC ID 12313 | Data and Information Management | Preventive | |
| Remove and/or destroy records according to the records' retention event and retention period schedule. CC ID 06621 [The logged information is protected from unauthorised access and modification and can be deleted by the Cloud Customer. PSS-04 ¶ 3] | Records Management | Preventive | |
| Include the sanitization method in the disposal record. CC ID 17073 | Log Management | Preventive | |
| Include time information in the disposal record. CC ID 17072 | Log Management | Preventive | |
| Include the name of the signing officer in the disposal record. CC ID 15710 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate disposal records to interested personnel and affected parties. CC ID 16891 | Communicate | Preventive | |
| Establish, implement, and maintain records management procedures. CC ID 11619 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain data input and data access authorization tracking. CC ID 00920 [{security-related information} The information is detailed enough to allow cloud users to check the following aspects, insofar as they are applicable to the cloud service: Changes to security-relevant configuration parameters, error handling and logging mechanisms, user authentication, action authorisation, cryptography, and communication security. PSS-04 ¶ 2 Bullet 3] | Monitor and Evaluate Occurrences | Detective | |
| Validate transactions using identifiers and credentials. CC ID 13203 | Technical Security | Preventive | |
| Establish, implement, and maintain a system storage log. CC ID 13532 | Records Management | Preventive | |
| Establish, implement, and maintain a system input log. CC ID 13531 | Establish/Maintain Documentation | Preventive | |
| Capture the records required by organizational compliance requirements. CC ID 00912 | Records Management | Detective | |
| Log records as being received into the recordkeeping system. CC ID 11696 | Records Management | Preventive | |
| Log the number of non-routine items received into the recordkeeping system. CC ID 11706 | Log Management | Preventive | |
| Log performance monitoring into the recordkeeping system. CC ID 11724 [The top management of the Cloud Service Provider is regularly informed about the information security performance within the scope of the ISMS in order to ensure its continued suitability, adequacy and effectiveness. The information is included in the management review of the ISMS at is performed at least once a year. COM-04 ¶ 1] | Log Management | Preventive | |
| Establish, implement, and maintain security label procedures. CC ID 06747 [Assets are classified and, if possible, labelled. Classification and labelling of an asset reflect the protection needs of the information it processes, stores, or transmits. AM-06 ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain output review and error handling checks with end users. CC ID 00929 [The type and scope of the information provided will be based on the needs of subject matter experts of the cloud customers who set information security requirements, implement them or verify the implementation (e.g. IT, Compliance, Internal Audit). The information in the guidelines and recommendations for the secure use of the cloud service address the following aspects, where applicable to the cloud service: Error handling and logging mechanisms; PSS-01 ¶ 2 Bullet 3 The cloud service provided is equipped with error handling and logging mechanisms. These enable cloud users to obtain security-related information about the security status of the cloud service as well as the data, services or functions it provides. PSS-04 ¶ 1] | Establish/Maintain Documentation | Detective | |
System hardening through configuration management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| System hardening through configuration management CC ID 00860 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a Configuration Management program. CC ID 00867 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a configuration management plan. CC ID 01901 | Establish/Maintain Documentation | Preventive | |
| Include configuration management procedures in the configuration management plan. CC ID 14248 [The type and scope of the information provided will be based on the needs of subject matter experts of the cloud customers who set information security requirements, implement them or verify the implementation (e.g. IT, Compliance, Internal Audit). The information in the guidelines and recommendations for the secure use of the cloud service address the following aspects, where applicable to the cloud service: Instructions for secure configuration; PSS-01 ¶ 2 Bullet 1] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain system hardening procedures. CC ID 12001 | Establish/Maintain Documentation | Preventive | |
| Configure automatic logoff to terminate the sessions based on inactivity according to organizational standards. CC ID 04490 [{be inactive} To protect confidentiality, availability, integrity and authenticity during interactions with the cloud service, a suitable session management system is used that at least corresponds to the state- of-the-art and is protected against known attacks. Mechanisms are implemented that invalidate a session after it has been detected as inactive. The inactivity can be detected by time measurement. In this case, the time interval can be configured by the Cloud Service Provider or – if technically possible – by the cloud customer. PSS-06 ¶ 1] | Configuration | Preventive | |
| Install critical security updates and important security updates in a timely manner. CC ID 01696 [{acceptable use policy} Policies and instructions for acceptable use and safe handling of assets are documented, communicated and provided in accordance with SP-01 and address the following aspects of the asset lifecycle as applicable to the asset: Requirements for versions of software and images as well as application of patches; AM-02 ¶ 1 Bullet 5 {time frame} For each vulnerability, it is indicated whether software updates (e.g. patch, update) are available, when they will be rolled out and whether they will be deployed by the Cloud Service Provider, the cloud customer or both of them together. PSS-03 ¶ 4] | Configuration | Preventive | |
| Include risk information when communicating critical security updates. CC ID 14948 | Communicate | Preventive | |
| Configure Least Functionality and Least Privilege settings to organizational standards. CC ID 07599 [The rights profiles are suitable for enabling cloud users to manage access authorisations and permissions in accordance with the principle of least-privilege and how it is necessary for the performance of tasks ("need-to-know principle") and to implement the principle of functional separation between operational and controlling functions ("separation of duties"). PSS-08 ¶ 2 The rights profiles are suitable for enabling cloud users to manage access authorisations and permissions in accordance with the principle of least-privilege and how it is necessary for the performance of tasks ("need-to-know principle") and to implement the principle of functional separation between operational and controlling functions ("separation of duties"). PSS-08 ¶ 2] | Configuration | Preventive | |
| Prohibit directories from having read/write capability, as appropriate. CC ID 16313 | Configuration | Preventive | |
| Configure "Block public access (bucket settings)" to organizational standards. CC ID 15444 | Configuration | Preventive | |
| Configure S3 Bucket Policies to organizational standards. CC ID 15431 | Configuration | Preventive | |
| Configure "Allow suggested apps in Windows Ink Workspace" to organizational standards. CC ID 15417 | Configuration | Preventive | |
| Configure "Allow Cloud Search" to organizational standards. CC ID 15416 | Configuration | Preventive | |
| Configure "Configure Watson events" to organizational standards. CC ID 15414 | Configuration | Preventive | |
| Configure "Allow Clipboard synchronization across devices" to organizational standards. CC ID 15412 | Configuration | Preventive | |
| Configure "Prevent users from modifying settings" to organizational standards. CC ID 15411 | Configuration | Preventive | |
| Configure "Prevent users from sharing files within their profile" to organizational standards. CC ID 15408 | Configuration | Preventive | |
| Configure "Manage preview builds" to organizational standards. CC ID 15405 | Configuration | Preventive | |
| Configure "Turn off Help Experience Improvement Program" to organizational standards. CC ID 15403 | Configuration | Preventive | |
| Configure "Sign-in and lock last interactive user automatically after a restart" to organizational standards. CC ID 15402 | Configuration | Preventive | |
| Configure "Hardened UNC Paths" to organizational standards. CC ID 15400 | Configuration | Preventive | |
| Configure "Turn off all Windows spotlight features" to organizational standards. CC ID 15397 | Configuration | Preventive | |
| Configure "Allow Message Service Cloud Sync" to organizational standards. CC ID 15396 | Configuration | Preventive | |
| Configure "Configure local setting override for reporting to Microsoft MAPS" to organizational standards. CC ID 15394 | Configuration | Preventive | |
| Configure "Configure Windows spotlight on lock screen" to organizational standards. CC ID 15391 | Configuration | Preventive | |
| Configure "Do not suggest third-party content in Windows spotlight" to organizational standards. CC ID 15389 | Configuration | Preventive | |
| Configure "Enable Font Providers" to organizational standards. CC ID 15388 | Configuration | Preventive | |
| Configure "Disallow copying of user input methods to the system account for sign-in" to organizational standards. CC ID 15386 | Configuration | Preventive | |
| Configure "Do not display network selection UI" to organizational standards. CC ID 15381 | Configuration | Preventive | |
| Configure "Turn off KMS Client Online AVS Validation" to organizational standards. CC ID 15380 | Configuration | Preventive | |
| Configure "Allow Telemetry" to organizational standards. CC ID 15378 | Configuration | Preventive | |
| Configure "Allow users to enable online speech recognition services" to organizational standards. CC ID 15377 | Configuration | Preventive | |
| Configure "Prevent enabling lock screen camera" to organizational standards. CC ID 15373 | Configuration | Preventive | |
| Configure "Continue experiences on this device" to organizational standards. CC ID 15372 | Configuration | Preventive | |
| Configure "Prevent the usage of OneDrive for file storage" to organizational standards. CC ID 15369 | Configuration | Preventive | |
| Configure "Do not use diagnostic data for tailored experiences" to organizational standards. CC ID 15367 | Configuration | Preventive | |
| Configure "Network access: Restrict clients allowed to make remote calls to SAM" to organizational standards. CC ID 15365 | Configuration | Preventive | |
| Configure "Turn off Microsoft consumer experiences" to organizational standards. CC ID 15363 | Configuration | Preventive | |
| Configure "Allow Use of Camera" to organizational standards. CC ID 15362 | Configuration | Preventive | |
| Configure "Allow Online Tips" to organizational standards. CC ID 15360 | Configuration | Preventive | |
| Configure "Turn off cloud optimized content" to organizational standards. CC ID 15357 | Configuration | Preventive | |
| Configure "Apply UAC restrictions to local accounts on network logons" to organizational standards. CC ID 15356 | Configuration | Preventive | |
| Configure "Toggle user control over Insider builds" to organizational standards. CC ID 15354 | Configuration | Preventive | |
| Configure "Allow network connectivity during connected-standby (plugged in)" to organizational standards. CC ID 15353 | Configuration | Preventive | |
| Configure "Do not show feedback notifications" to organizational standards. CC ID 15350 | Configuration | Preventive | |
| Configure "Prevent enabling lock screen slide show" to organizational standards. CC ID 15349 | Configuration | Preventive | |
| Configure "Turn off the advertising ID" to organizational standards. CC ID 15348 | Configuration | Preventive | |
| Configure "Allow Windows Ink Workspace" to organizational standards. CC ID 15346 | Configuration | Preventive | |
| Configure "Allow a Windows app to share application data between users" to organizational standards. CC ID 15345 | Configuration | Preventive | |
| Configure "Turn off handwriting personalization data sharing" to organizational standards. CC ID 15339 | Configuration | Preventive | |
| Configure virtual networks in accordance with the information security policy. CC ID 13165 [{physical separation} In the case of IaaS/PaaS, the secure segregation is ensured by physically separated networks or by means of strongly encrypted VLANs. For the definition of strong encryption, the BSI Technical Guideline TR-02102 must be considered. COS-06 ¶ 2] | Configuration | Preventive | |
| Establish, implement, and maintain authenticators. CC ID 15305 | Technical Security | Preventive | |
| Configure authenticators to comply with organizational standards. CC ID 06412 [The allocation of authentication information to access system components used to provide the cloud service to internal and external users of the cloud provider and system components that are involved in automated authorisation processes of the cloud provider is done in an orderly manner that ensures the confidentiality of the information. If passwords are used as authentication information, their confidentiality is ensured by the following procedures, as far as technically possible: When creating passwords, compliance with the password specifications (cf. IDM-09) is enforced as far as technically possible. IDM-08 ¶ 1 Bullet 2 System components in the Cloud Service Provider's area of responsibility that are used to provide the cloud service, authenticate users of the Cloud Service Provider's internal and external employees as well as system components that are involved in the Cloud Service Provider's automated authorisation processes. Access to the production environment requires two-factor or multi-factor authentication. Within the production environment, user authentication takes place through passwords, digitally signed certificates or procedures that achieve at least an equivalent level of security. If digitally signed certificates are used, administration is carried out in accordance with the Guideline for Key Management (cf. CRY-01). The password requirements are derived from a risk assessment and documented, communicated and provided in a password policy according to SP-01. Compliance with the requirements is enforced by the configuration of the system components, as far as technically possible. IDM-09 ¶ 1] | Configuration | Preventive | |
| Configure the system to require new users to change their authenticator on first use. CC ID 05268 [The allocation of authentication information to access system components used to provide the cloud service to internal and external users of the cloud provider and system components that are involved in automated authorisation processes of the cloud provider is done in an orderly manner that ensures the confidentiality of the information. If passwords are used as authentication information, their confidentiality is ensured by the following procedures, as far as technically possible: Users can initially create the password themselves or must change an initial password when logging on to the system component for the first time. An initial password loses its validity after a maximum of 14 days. IDM-08 ¶ 1 Bullet 1 If passwords are used as authentication information for the cloud service, their confidentiality is ensured by the following procedures: Users can initially create the password themselves or must change an initial password when logging in to the cloud service for the first time. An initial password loses its validity after a maximum of 14 days. PSS-07 ¶ 1 Bullet 1] | Configuration | Preventive | |
| Change the authenticator for shared accounts when the group membership changes. CC ID 14249 | Business Processes | Corrective | |
| Configure the system to encrypt authenticators. CC ID 06735 [The allocation of authentication information to access system components used to provide the cloud service to internal and external users of the cloud provider and system components that are involved in automated authorisation processes of the cloud provider is done in an orderly manner that ensures the confidentiality of the information. If passwords are used as authentication information, their confidentiality is ensured by the following procedures, as far as technically possible: The server-side storage takes place using cryptographically strong hash functions. IDM-08 ¶ 1 Bullet 4 If passwords are used as authentication information for the cloud service, their confidentiality is ensured by the following procedures: The server-side storage takes place using state-of-the-art cryptographically strong hash functions in combination with at least 32-bit long salt values. PSS-07 ¶ 1 Bullet 4] | Configuration | Preventive | |
| Configure the system to refrain from specifying the type of information used as password hints. CC ID 13783 | Configuration | Preventive | |
| Notify affected parties to keep authenticators confidential. CC ID 06787 [{maintain} {confidentiality} The users sign a declaration in which they assure that they treat personal (or shared) authentication information confidentially and keep it exclusively for themselves (within the members of the group). IDM-08 ¶ 3] | Behavior | Preventive | |
| Configure user accounts. CC ID 07036 | Configuration | Preventive | |
| Employ multifactor authentication for accounts with administrative privilege. CC ID 12496 [A role and rights concept based on the business and security requirements of the Cloud Service Provider as well as a policy for managing user accounts and access rights for internal and external employees of the Cloud Service Provider and system components that have a role in automated authorisation processes of the Cloud Service Provider are documented, communicated and made available according to SP-01: Two-factor or multi-factor authentication for users with privileged access; and IDM-01 ¶ 1 Bullet 9 For privileged users, IT components or applications, these authentication mechanisms are enforced. PSS-05 ¶ 3] | Technical Security | Preventive | |
| Establish, implement, and maintain an account lockout policy. CC ID 01709 [User accounts of internal and external employees of the Cloud Service Provider as well as for system components involved in automated authorisation processes of the Cloud Service Provider are automatically locked if they have not been used for a period of two months. Approval from authorised personnel or system components are required to unlock these accounts. IDM-03 ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Review and restrict network addresses and network protocols. CC ID 01518 [Policies and instructions with technical and organisational safeguards for encryption procedures and key management are documented, communicated and provided according to SP-01, in which the following aspects are described: Usage of strong encryption procedures and secure network protocols that correspond to the state-of-the-art; CRY-01 ¶ 1 Bullet 1 {insecure protocol} At specified intervals, the business justification for using all services, protocols, and ports is reviewed. The review also includes the justifications for compensatory measures for the use of protocols that are considered insecure. COS-03 ¶ 4] | Configuration | Preventive | |
| Establish, implement, and maintain a network addressing plan. CC ID 16399 | Establish/Maintain Documentation | Preventive | |
| Define the location requirements for network elements and network devices. CC ID 16379 | Process or Activity | Preventive | |
| Configure Network Address Translation to organizational standards. CC ID 16395 | Configuration | Preventive | |
| Enable or disable tunneling, as necessary. CC ID 15235 | Configuration | Preventive | |
| Disable Pre-boot eXecution Environment unless it is absolutely necessary. CC ID 04819 | Configuration | Preventive | |
| Configure the Access Control List to restrict connections between untrusted networks and any system that holds restricted data or restricted information. CC ID 06077 [{trusted network} A distinction is made between trusted and untrusted networks. Based on a risk assessment, these are separated into different security zones for internal and external network areas (and DMZ, if applicable). Physical and virtualised network environments are designed and configured to restrict and monitor the established connection to trusted or untrusted networks according to the defined security requirements. COS-03 ¶ 1] | Configuration | Preventive | |
| Configure wireless communication to be encrypted using strong cryptography. CC ID 06078 [Communication takes place through standardised communication protocols that ensure the confidentiality and integrity of the transmitted information according to its protection requirements. Communication over untrusted networks is encrypted according to CRY-02. PI-01 ¶ 2] | Configuration | Preventive | |
| Verify the organization has Emergency Power Supplies available for the systems. CC ID 01912 [{power supply facility} {emergency power solution} Measures to prevent the failure of the technical supply facilities required for the operation of system components with which information from cloud customers is processed, are documented and set up in accordance with the security requirements of the Cloud Service Provider (cf. PS-01 Security Concept) with respect to the following aspects: Use of appropriately sized uninterruptible power supplies (UPS) and emergency power systems (NEA), designed to ensure that all data remains undamaged in the event of a power failure. The functionality of UPS and NEA is checked at least annually by suitable tests and exercises (cf. BCM-04 – Verification, updating and testing of business continuity). PS-06 ¶ 1(b)] | Systems Continuity | Preventive | |
| Verify enough emergency power is available for a graceful shutdown if the primary power system fails. CC ID 01913 | Systems Continuity | Preventive | |
| Verify emergency power continuity procedures are in place to transfer power to a secondary source if the primary power system fails. CC ID 01914 | Systems Continuity | Preventive | |
| Enable or disable the Uninterruptible Power Supply service, as appropriate. CC ID 06037 | Configuration | Preventive | |
| Establish, implement, and maintain virtualization configuration settings. CC ID 07110 | Configuration | Preventive | |
| Implement the security features of hypervisor to protect virtual machines. CC ID 12176 [{dedicated network} There are separate networks for the administrative management of the infrastructure and for the operation of management consoles. These networks are logically or physically separated from the cloud customer's network and protected from unauthorised access by multi-factor authentication (cf. IDM-09). Networks used by the Cloud Service Provider to migrate or create virtual machines are also physically or logically separated from other networks. COS-05 ¶ 1] | Configuration | Preventive | |
| Configure network protection settings to organizational standards. CC ID 07601 [System components in the production environment used to provide the cloud service under the Cloud Service Provider's responsibility are hardened according to generally accepted industry standards. The hardening requirements for each system component are documented. OPS-23 ¶ 1 Ensure the protection of information in networks and the corresponding information processing systems Section 5.9 Objective] | Configuration | Preventive | |
| Configure the "CNI" plugin to organizational standards. CC ID 14659 | Configuration | Preventive | |
| Configure the "data-path-addr" argument to organizational standards. CC ID 14546 | Configuration | Preventive | |
| Configure the "advertise-addr" argument to organizational standards. CC ID 14544 | Configuration | Preventive | |
| Configure the "nftables" to organizational standards. CC ID 15320 | Configuration | Preventive | |
| Configure the "iptables" to organizational standards. CC ID 14463 | Configuration | Preventive | |
| Configure the "ip6tables" settings to organizational standards. CC ID 15322 | Configuration | Preventive | |
| Configure the "insecure registries" to organizational standards. CC ID 14455 | Configuration | Preventive | |
| Configure the "MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)" to organizational standards. CC ID 07602 | Configuration | Preventive | |
| Configure the "MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes" to organizational standards. CC ID 07648 | Configuration | Preventive | |
| Configure the "net-host" argument to organizational standards. CC ID 14529 | Configuration | Preventive | |
| Configure the "firewalld" to organizational standards. CC ID 15321 | Configuration | Preventive | |
| Configure the "network bridge" to organizational standards. CC ID 14501 | Configuration | Preventive | |
| Configure the "Windows Firewall: Domain: Firewall state" to organizational standards. CC ID 07667 | Configuration | Preventive | |
| Configure the "MSS: (Hidden) Hide Computer From the Browse List (not recommended except for highly secure environments)" to organizational standards. CC ID 07680 | Configuration | Preventive | |
| Configure the "Windows Firewall: Public: Outbound connections" to organizational standards. CC ID 07695 | Configuration | Preventive | |
| Configure the "MSS: (NoDefaultExempt) Configure IPSec exemptions for various types of network traffic." to organizational standards CC ID 07703 | Configuration | Preventive | |
| Configure the "MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)" to organizational standards. CC ID 07733 | Configuration | Preventive | |
| Configure the "publish" argument to organizational standards. CC ID 14500 | Configuration | Preventive | |
| Configure the "Windows Firewall: Private: Inbound connections" to organizational standards. CC ID 07747 | Configuration | Preventive | |
| Configure the "Windows Firewall: Private: Apply local firewall rules" to organizational standards. CC ID 07777 | Configuration | Preventive | |
| Configure the "MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers" to organizational standards. CC ID 07801 | Configuration | Preventive | |
| Configure the "Windows Firewall: Private: Firewall state" to organizational standards. CC ID 07803 | Configuration | Preventive | |
| Configure the "Windows Firewall: Domain: Apply local connection security rules" to organizational standards. CC ID 07805 | Configuration | Preventive | |
| Configure the "Windows Firewall: Domain: Apply local firewall rules" to organizational standards. CC ID 07833 | Configuration | Preventive | |
| Configure the "Windows Firewall: Public: Display a notification" to organizational standards. CC ID 07836 | Configuration | Preventive | |
| Configure the "Windows Firewall: Domain: Outbound connections" to organizational standards. CC ID 07839 | Configuration | Preventive | |
| Configure the "Windows Firewall: Public: Apply local firewall rules" to organizational standards. CC ID 07850 | Configuration | Preventive | |
| Configure the "Windows Firewall: Domain: Inbound connections" to organizational standards. CC ID 07851 | Configuration | Preventive | |
| Configure the "Windows Firewall: Private: Outbound connections" to organizational standards. CC ID 07858 | Configuration | Preventive | |
| Configure the "Windows Firewall: Public: Firewall state" to organizational standards. CC ID 07861 | Configuration | Preventive | |
| Configure the "Windows Firewall: Domain: Display a notification" to organizational standards. CC ID 07868 | Configuration | Preventive | |
| Configure the "Windows Firewall: Public: Inbound connections" to organizational standards. CC ID 07872 | Configuration | Preventive | |
| Configure the "Windows Firewall: Public: Allow unicast response" to organizational standards. CC ID 07873 | Configuration | Preventive | |
| Configure the "Windows Firewall: Private: Allow unicast response" to organizational standards. CC ID 07885 | Configuration | Preventive | |
| Configure the "Windows Firewall: Public: Apply local connection security rules" to organizational standards. CC ID 07890 | Configuration | Preventive | |
| Configure the "Windows Firewall: Domain: Allow unicast response" to organizational standards. CC ID 07893 | Configuration | Preventive | |
| Configure the "Windows Firewall: Private: Apply local connection security rules" to organizational standards. CC ID 07896 | Configuration | Preventive | |
| Configure the "Windows Firewall: Private: Display a notification" to organizational standards. CC ID 07902 | Configuration | Preventive | |
| Configure the "Windows Firewall: Protect all network connections" to organizational standards. CC ID 08161 | Configuration | Preventive | |
| Configure the "Windows Firewall: Allow inbound UPnP framework exceptions" to organizational standards. CC ID 08170 | Configuration | Preventive | |
| Configure the "Windows Firewall: Allow local program exceptions" to organizational standards. CC ID 08173 | Configuration | Preventive | |
| Configure the "Windows Firewall: Do not allow exceptions" to organizational standards. CC ID 08184 | Configuration | Preventive | |
| Configure the "MSS: (DisableSavePassword) Prevent the dial-up password from being saved (recommended)" to organizational standards. CC ID 08208 | Configuration | Preventive | |
| Configure the "MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways (could lead to DoS)" to organizational standards. CC ID 08210 | Configuration | Preventive | |
| Configure the "Windows Firewall: Allow local port exceptions" to organizational standards. CC ID 08214 | Configuration | Preventive | |
| Configure the "Windows Firewall: Define inbound port exceptions" to organizational standards. CC ID 08215 | Configuration | Preventive | |
| Configure the "Windows Firewall: Prohibit unicast response to multicast or broadcast requests" to organizational standards. CC ID 08217 | Configuration | Preventive | |
| Configure the "Windows Firewall: Prohibit notifications" to organizational standards. CC ID 08249 | Configuration | Preventive | |
| Configure the "Windows Firewall: Allow inbound file and printer sharing exception" to organizational standards. CC ID 08275 | Configuration | Preventive | |
| Configure the "MSS: (TcpMaxConnectResponseRetransmissions) SYN-ACK retransmissions when a connection request is not acknowledged" to organizational standards. CC ID 08279 | Configuration | Preventive | |
| Configure the "Windows Firewall: Define inbound program exceptions" to organizational standards. CC ID 08282 | Configuration | Preventive | |
| Configure the "Windows Firewall: Allow ICMP exceptions" to organizational standards. CC ID 08289 | Configuration | Preventive | |
| Configure the "Windows Firewall: Allow inbound Remote Desktop exceptions" to organizational standards. CC ID 08295 | Configuration | Preventive | |
| Configure the "Allow unencrypted traffic" to organizational standards. CC ID 08383 | Configuration | Preventive | |
| Configure the "Windows Firewall: Private: Logging: Log successful connections" to organizational standards. CC ID 08466 | Configuration | Preventive | |
| Configure the "Windows Firewall: Public: Logging: Size limit (KB)" to organizational standards. CC ID 08494 | Configuration | Preventive | |
| Configure the "Windows Firewall: Domain: Logging: Log successful connections" to organizational standards. CC ID 08544 | Configuration | Preventive | |
| Configure the "Windows Firewall: Private: Logging: Name" to organizational standards. CC ID 08595 | Configuration | Preventive | |
| Configure Logging settings in accordance with organizational standards. CC ID 07611 | Configuration | Preventive | |
| Configure the storage parameters for all logs. CC ID 06330 [{be immutable} If non-modifiable ("immutable") images are used, compliance with the hardening specifications as defined in the hardening requirements is checked upon creation of the images. Configuration and log files regarding the continuous availability of the images are retained. OPS-23 ¶ 2] | Configuration | Preventive | |
| Configure the log to capture creates, reads, updates, or deletes of records containing personal data. CC ID 11890 [The cloud customer is informed by the Cloud Service Provider whenever internal or external employees of the Cloud Service Provider read or write to the cloud customer's data processed, stored or transmitted in the cloud service or have accessed it without the prior consent of the cloud customer. The Information is provided whenever data of the cloud customer is/was not encrypted, the encryption is/was disabled for access or the contractual agreements do not explicitly exclude such information. The information contains the cause, time, duration, type and scope of the access. The information is sufficiently detailed to enable subject matter experts of the cloud customer to assess the risks of the access. The information is provided in accordance with the contractual agreements, or within 72 hours after the access. IDM-07 ¶ 1] | Log Management | Detective | |
| Configure the log to capture all malicious code that has been discovered, quarantined, and/or eradicated. CC ID 00577 [The Cloud Service Provider creates regular reports on the checks performed, which are reviewed and analysed by authorised bodies or committees. Policies and instructions describe the technical measures taken to securely configure and monitor the management console (both the customer's self-service and the service provider's cloud administration) to protect it from malware. Updates are applied at the highest frequency that the vendor(s) contractually offer(s). OPS-04 ¶ 2] | Log Management | Detective | |
| Configure the log to capture actions taken by individuals with root privileges or administrative privileges and add logging option to the root file system. CC ID 00645 [Activities of users with privileged access rights are logged in order to detect any misuse of privileged access in suspicious cases. The logged information is automatically monitored for defined events that may indicate misuse. When such an event is identified, the responsible personnel are automatically informed so that they can promptly assess whether misuse has occurred and take corresponding action. In the event of proven misuse of privileged access rights, disciplinary measures are taken in accordance with HR-04. IDM-06 ¶ 3] | Log Management | Detective | |
| Configure the event log settings for specific Operating System functions. CC ID 06337 | Configuration | Preventive | |
| Generate an alert when an audit log failure occurs. CC ID 06737 [The Cloud Service Provider monitors the system components for logging and monitoring in its area of responsibility. Failures are automatically and promptly reported to the Cloud Service Provider's responsible departments so that these can assess the failures and take required action. OPS-17 ¶ 1] | Configuration | Preventive | |
| Configure Key, Certificate, Password, Authentication and Identity Management settings in accordance with organizational standards. CC ID 07621 | Configuration | Preventive | |
| Configure Identity and Access Management policies to organizational standards. CC ID 15422 [Specified procedures for granting and modifying user accounts and access rights for internal and external employees of the Cloud Service Provider as well as for system components involved in automated authorisation processes of the Cloud Service Provider ensure compliance with the role and rights concept as well as the policy for managing user accounts and access rights. IDM-02 ¶ 1] | Configuration | Preventive | |
| Configure the "Maximum password age" to organizational standards. CC ID 07688 [The allocation of authentication information to access system components used to provide the cloud service to internal and external users of the cloud provider and system components that are involved in automated authorisation processes of the cloud provider is done in an orderly manner that ensures the confidentiality of the information. If passwords are used as authentication information, their confidentiality is ensured by the following procedures, as far as technically possible: Users can initially create the password themselves or must change an initial password when logging on to the system component for the first time. An initial password loses its validity after a maximum of 14 days. IDM-08 ¶ 1 Bullet 1 If passwords are used as authentication information for the cloud service, their confidentiality is ensured by the following procedures: Users can initially create the password themselves or must change an initial password when logging in to the cloud service for the first time. An initial password loses its validity after a maximum of 14 days. PSS-07 ¶ 1 Bullet 1] | Configuration | Preventive | |
| Configure the "Minimum password length" to organizational standards. CC ID 07711 [{password length} If passwords are used as authentication information for the cloud service, their confidentiality is ensured by the following procedures: When creating passwords, compliance with the length and complexity requirements of the Cloud Service Provider (cf. IDM-09) or the cloud customer is technically enforced. PSS-07 ¶ 1 Bullet 2] | Configuration | Preventive | |
| Configure the "Password must meet complexity requirements" to organizational standards. CC ID 07743 [{password length} If passwords are used as authentication information for the cloud service, their confidentiality is ensured by the following procedures: When creating passwords, compliance with the length and complexity requirements of the Cloud Service Provider (cf. IDM-09) or the cloud customer is technically enforced. PSS-07 ¶ 1 Bullet 2] | Configuration | Preventive | |
| Configure security and protection software to check for up-to-date signature files. CC ID 00576 [The Cloud Service Provider creates regular reports on the checks performed, which are reviewed and analysed by authorised bodies or committees. Policies and instructions describe the technical measures taken to securely configure and monitor the management console (both the customer's self-service and the service provider's cloud administration) to protect it from malware. Updates are applied at the highest frequency that the vendor(s) contractually offer(s). OPS-04 ¶ 2] | Testing | Detective | |
| Configure security and protection software to enable automatic updates. CC ID 11945 [System components under the Cloud Service Provider's responsibility that are used to deploy the cloud service in the production environment are configured with malware protection according to the policies and instructions. If protection programs are set up with signature and behaviour-based malware detection and removal, these protection programs are updated at least daily. OPS-05 ¶ 1] | Configuration | Preventive | |
| Configure initial system hardening according to the secure configuration baseline. CC ID 13824 [System components in the production environment used to provide the cloud service under the Cloud Service Provider's responsibility are hardened according to generally accepted industry standards. The hardening requirements for each system component are documented. OPS-23 ¶ 1 {acceptable use policy} Policies and instructions for acceptable use and safe handling of assets are documented, communicated and provided in accordance with SP-01 and address the following aspects of the asset lifecycle as applicable to the asset: Secure configuration of mechanisms for error handling, logging, encryption, authentication and authorisation; AM-02 ¶ 1 Bullet 4] | Configuration | Preventive | |
| Configure the system's password field with a unique default password. CC ID 13825 | Configuration | Preventive | |
| Create a hardened image of the baseline configuration to be used for building new systems. CC ID 07063 [If cloud customers operate virtual machines or containers with the cloud service, the Cloud Service Provider must ensure the following aspects: In addition, these images provided by the Cloud Service Provider are hardened according to generally accepted industry standards. PSS-11 ¶ 1 Bullet 3] | Configuration | Preventive | |
| Store master images on securely configured servers. CC ID 12089 [{be immutable} If non-modifiable ("immutable") images are used, compliance with the hardening specifications as defined in the hardening requirements is checked upon creation of the images. Configuration and log files regarding the continuous availability of the images are retained. OPS-23 ¶ 2] | Technical Security | Preventive | |
| Audit the configuration of organizational assets, as necessary. CC ID 13653 [{be immutable} If non-modifiable ("immutable") images are used, compliance with the hardening specifications as defined in the hardening requirements is checked upon creation of the images. Configuration and log files regarding the continuous availability of the images are retained. OPS-23 ¶ 2 Internal audits are supplemented by procedures to automatically monitor applicable requirements of policies and instructions with regard to the following aspects: Configuration of system components to provide the cloud service within the Cloud Service Provider's area of responsibility; COM-03 ¶ 3 Bullet 1] | Audits and Risk Management | Detective | |
Systems design, build, and implementation | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Systems design, build, and implementation CC ID 00989 | IT Impact Zone | IT Impact Zone | |
| Initiate the System Development Life Cycle planning phase. CC ID 06266 | Systems Design, Build, and Implementation | Preventive | |
| Establish, implement, and maintain system design principles and system design guidelines. CC ID 01057 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain security design principles. CC ID 14718 | Systems Design, Build, and Implementation | Preventive | |
| Include secure failure and recovery of systems or system components in the security design principles. CC ID 14744 [Ensure proper and regular operation, including appropriate measures for planning and monitoring capacity, protection against malware, logging and monitoring events, and dealing with vulnerabilities, malfunctions and failures. Section 5.6 Objective] | Systems Design, Build, and Implementation | Preventive | |
| Establish and maintain System Development Life Cycle documentation. CC ID 12079 [{secure development} The policies and instructions contain guidelines for the entire life cycle of the cloud service and are based on recognised standards and methods with regard to the following aspects: DEV-01 ¶ 2] | Systems Design, Build, and Implementation | Preventive | |
| Include a technology refresh schedule in the system development life cycle documentation. CC ID 14759 | Establish/Maintain Documentation | Preventive | |
| Design the Software as a Service infrastructure to segment cloud customer user access. CC ID 12347 [Ensure the protection of information that service providers or suppliers of the Cloud Service Provider (subcontractors) can access and monitor the agreed services and security requirements. Section 5.12 Objective] | Systems Design, Build, and Implementation | Preventive | |
| Obtain approval from appropriate parties for system design projects. CC ID 01033 [{acceptable use policy} Policies and instructions for acceptable use and safe handling of assets are documented, communicated and provided in accordance with SP-01 and address the following aspects of the asset lifecycle as applicable to the asset: Approval procedures for acquisition, commissioning, maintenance, decommissioning, and disposal by authorised personnel or system components; AM-02 ¶ 1 Bullet 1] | Systems Design, Build, and Implementation | Preventive | |
| Separate the design and development environment from the production environment. CC ID 06088 [Production environments are physically or logically separated from test or development environments to prevent unauthorised access to cloud customer data, the spread of malware, or changes to system components. Data contained in the production environments is not used in test or development environments in order not to compromise their confidentiality. DEV-10 ¶ 1] | Systems Design, Build, and Implementation | Preventive | |
| Implement security controls in development endpoints. CC ID 16389 | Testing | Preventive | |
| Initiate the System Development Life Cycle development phase or System Development Life Cycle build phase. CC ID 06267 | Systems Design, Build, and Implementation | Preventive | |
| Develop systems in accordance with the system design specifications and system design standards. CC ID 01094 [{secure development} The policies and instructions contain guidelines for the entire life cycle of the cloud service and are based on recognised standards and methods with regard to the following aspects: Security in operation (reaction to identified faults and vulnerabilities). DEV-01 ¶ 2 Bullet 3 Policies and instructions with technical and organisational measures for the secure development of the cloud service are documented, communicated and provided in accordance with SP-01. DEV-01 ¶ 1] | Systems Design, Build, and Implementation | Preventive | |
| Establish, implement, and maintain outsourced development procedures. CC ID 01141 [In the case of outsourced development of the cloud service (or individual system components), specifications regarding the following aspects are contractually agreed between the Cloud Service Provider and the outsourced development contractor: Security in software development (requirements, design, implementation, tests and verifications) in accordance with recognised standards and methods; DEV-02 ¶ 1 Bullet 1] | Establish/Maintain Documentation | Preventive | |
| Protect stored manufacturing components prior to assembly. CC ID 12248 | Systems Design, Build, and Implementation | Preventive | |
| Store manufacturing components in a controlled access area. CC ID 12256 | Physical and Environmental Protection | Preventive | |
| Develop new products based on best practices. CC ID 01095 [{secure development} The policies and instructions contain guidelines for the entire life cycle of the cloud service and are based on recognised standards and methods with regard to the following aspects: Security in Software Development (Requirements, Design, Implementation, Testing and Verification); DEV-01 ¶ 2 Bullet 1] | Systems Design, Build, and Implementation | Preventive | |
| Document the system architecture in the system design specification. CC ID 12287 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain Application Programming Interface documentation. CC ID 12203 | Establish/Maintain Documentation | Preventive | |
| Include configuration options in the Application Programming Interface documentation. CC ID 12205 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain the system design specification in a manner that is clear and easy to read. CC ID 12286 | Establish/Maintain Documentation | Preventive | |
| Include security requirements in the system design specification. CC ID 06826 [Ensure information security in the development cycle of information systems. Section 5.11 Objective] | Systems Design, Build, and Implementation | Preventive | |
| Establish, implement, and maintain access control procedures for the test environment that match those of the production environment. CC ID 06793 [Access to the non-production environment requires two-factor or multi-factor authentication. Within the non-production environment, users are authenticated using passwords, digitally signed certificates, or procedures that provide at least an equivalent level of security. IDM-09 ¶ 2] | Establish/Maintain Documentation | Preventive | |
| Define the data elements to be stored on identification cards or badges in the identification card or badge architectural designs. CC ID 15427 | Systems Design, Build, and Implementation | Preventive | |
| Include security measures in the identification card or badge architectural designs. CC ID 15423 | Systems Design, Build, and Implementation | Preventive | |
| Establish, implement, and maintain a CAPTCHA design specification. CC ID 17092 | Technical Security | Preventive | |
| Establish, implement, and maintain payment card architectural designs. CC ID 16132 | Establish/Maintain Documentation | Preventive | |
| Nest elements appropriately in website content using markup languages. CC ID 15154 | Configuration | Preventive | |
| Use valid HTML or other markup languages. CC ID 15153 | Configuration | Preventive | |
| Establish, implement, and maintain human interface guidelines. CC ID 08662 | Establish/Maintain Documentation | Preventive | |
| Ensure users can navigate content. CC ID 15163 | Configuration | Preventive | |
| Create text content using language that is readable and is understandable. CC ID 15167 | Configuration | Preventive | |
| Ensure user interface components are operable. CC ID 15162 | Configuration | Preventive | |
| Implement mechanisms to review, confirm, and correct user submissions. CC ID 15160 | Configuration | Preventive | |
| Allow users to reverse submissions. CC ID 15168 | Configuration | Preventive | |
| Provide a mechanism to control audio. CC ID 15158 | Configuration | Preventive | |
| Allow modification of style properties without loss of content or functionality. CC ID 15156 | Configuration | Preventive | |
| Programmatically determine the name and role of user interface components. CC ID 15148 | Configuration | Preventive | |
| Programmatically determine the language of content. CC ID 15137 | Configuration | Preventive | |
| Provide a mechanism to dismiss content triggered by mouseover or keyboard focus. CC ID 15164 | Configuration | Preventive | |
| Configure repeated navigational mechanisms to occur in the same order unless overridden by the user. CC ID 15166 | Configuration | Preventive | |
| Refrain from activating a change of context when changing the setting of user interface components, as necessary. CC ID 15165 | Configuration | Preventive | |
| Provide users a mechanism to remap keyboard shortcuts. CC ID 15133 | Configuration | Preventive | |
| Identify the components in a set of web pages that consistently have the same functionality. CC ID 15116 | Process or Activity | Preventive | |
| Provide captions for live audio content. CC ID 15120 | Configuration | Preventive | |
| Programmatically determine the purpose of each data field that collects information from the user. CC ID 15114 | Configuration | Preventive | |
| Provide labels or instructions when content requires user input. CC ID 15077 | Configuration | Preventive | |
| Allow users to control auto-updating information, as necessary. CC ID 15159 | Configuration | Preventive | |
| Use headings on all web pages and labels in all content that describes the topic or purpose. CC ID 15070 | Configuration | Preventive | |
| Display website content triggered by mouseover or keyboard focus. CC ID 15152 | Configuration | Preventive | |
| Ensure the purpose of links can be determined through the link text. CC ID 15157 | Configuration | Preventive | |
| Use a unique title that describes the topic or purpose for each web page. CC ID 15069 | Configuration | Preventive | |
| Allow the use of time limits, as necessary. CC ID 15155 | Configuration | Preventive | |
| Include mechanisms for changing authenticators in human interface guidelines. CC ID 14944 | Establish/Maintain Documentation | Preventive | |
| Refrain from activating a change of context in a user interface component. CC ID 15115 | Configuration | Preventive | |
| Include functionality for managing user data in human interface guidelines. CC ID 14928 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain User Interface documentation. CC ID 12204 [The type and scope of the documentation on the interfaces is geared to the needs of the cloud customers' subject matter experts in order to enable the use of these interfaces. The information is maintained in such a way that it is applicable for the cloud service's version which is intended for productive use. PI-01 ¶ 3 The type and scope of the documentation on the interfaces is geared to the needs of the cloud customers' subject matter experts in order to enable the use of these interfaces. The information is maintained in such a way that it is applicable for the cloud service's version which is intended for productive use. PI-01 ¶ 3] | Establish/Maintain Documentation | Preventive | |
| Include data encryption information in the system design specification. CC ID 12209 | Establish/Maintain Documentation | Preventive | |
| Include records disposition information in the system design specification. CC ID 12208 | Establish/Maintain Documentation | Preventive | |
| Include how data is managed in each module in the system design specification. CC ID 12207 | Establish/Maintain Documentation | Preventive | |
| Include identifying restricted data in the system design specification. CC ID 12206 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the system design specification to all interested personnel and affected parties. CC ID 15468 | Communicate | Preventive | |
| Implement data controls when developing systems. CC ID 15302 | Systems Design, Build, and Implementation | Preventive | |
| Require successful authentication before granting access to system functionality via network interfaces. CC ID 14926 | Technical Security | Preventive | |
| Require dual authentication when switching out of PCI mode in the hardware security module. CC ID 12274 | Systems Design, Build, and Implementation | Preventive | |
| Include an indicator to designate when the hardware security module is in PCI mode. CC ID 12273 | Systems Design, Build, and Implementation | Preventive | |
| Design the random number generator to generate random numbers that are unpredictable. CC ID 12255 | Systems Design, Build, and Implementation | Preventive | |
| Design the hardware security module to enforce the separation between applications. CC ID 12254 | Systems Design, Build, and Implementation | Preventive | |
| Protect sensitive data when transiting sensitive services in the hardware security module. CC ID 12253 | Systems Design, Build, and Implementation | Preventive | |
| Design the hardware security module to automatically clear its internal buffers of sensitive information prior to reuse of the buffer. CC ID 12233 | Systems Design, Build, and Implementation | Preventive | |
| Design the hardware security module to automatically clear its internal buffers of sensitive information after it recovers from an error condition. CC ID 12252 | Systems Design, Build, and Implementation | Preventive | |
| Design the hardware security module to automatically clear its internal buffers of sensitive information when it has timed out. CC ID 12251 | Systems Design, Build, and Implementation | Preventive | |
| Design the hardware security module to erase sensitive data when compromised. CC ID 12275 | Systems Design, Build, and Implementation | Preventive | |
| Restrict key-usage information for cryptographic keys in the hardware security module. CC ID 12232 | Systems Design, Build, and Implementation | Preventive | |
| Prevent cryptographic keys in the hardware security module from making unauthorized changes to data. CC ID 12231 | Systems Design, Build, and Implementation | Preventive | |
| Include in the system documentation methodologies for authenticating the hardware security module. CC ID 12258 | Establish/Maintain Documentation | Preventive | |
| Protect sensitive information within the hardware security module from unauthorized changes. CC ID 12225 | Systems Design, Build, and Implementation | Preventive | |
| Prohibit sensitive functions from working outside of protected areas of the hardware security module. CC ID 12224 | Systems Design, Build, and Implementation | Preventive | |
| Include the environmental requirements in the acceptable use policy for the hardware security module. CC ID 12263 | Establish/Maintain Documentation | Preventive | |
| Include device identification in the acceptable use policy for the hardware security module. CC ID 12262 | Establish/Maintain Documentation | Preventive | |
| Include device functionality in the acceptable use policy for the hardware security module. CC ID 12261 | Establish/Maintain Documentation | Preventive | |
| Include administrative responsibilities in the acceptable use policy for the hardware security module. CC ID 12260 | Establish/Maintain Documentation | Preventive | |
| Install secret information into the hardware security module during manufacturing. CC ID 12249 | Systems Design, Build, and Implementation | Preventive | |
| Install secret information into the hardware security module so that it can only be verified by the initial-key-loading facility. CC ID 12272 | Systems Design, Build, and Implementation | Preventive | |
| Install secret information under dual control into the hardware security module. CC ID 12257 | Systems Design, Build, and Implementation | Preventive | |
| Establish, implement, and maintain secure update mechanisms. CC ID 14923 | Systems Design, Build, and Implementation | Preventive | |
| Implement cryptographic mechanisms to authenticate software updates before installation. CC ID 14925 | Systems Design, Build, and Implementation | Preventive | |
| Automate secure update mechanisms, as necessary. CC ID 14933 [Assets provided by the Cloud Service Provider, which must be installed, provided or operated by cloud users within their area of responsibility, are equipped with automatic update mechanisms. After approval by the respective cloud user, software updates can be rolled out in such a way that they can be distributed to all affected users without human interaction. PSS-03 ¶ 5] | Systems Design, Build, and Implementation | Preventive | |
| Include the source code in the implementation representation document. CC ID 13089 | Establish/Maintain Documentation | Preventive | |
| Include the hardware schematics in the implementation representation document. CC ID 13098 | Establish/Maintain Documentation | Preventive | |
| Run sensitive workloads in Trusted Execution Environments. CC ID 16853 | Process or Activity | Preventive | |
| Review and update the security architecture, as necessary. CC ID 14277 | Establish/Maintain Documentation | Corrective | |
| Design the privacy architecture. CC ID 14671 | Systems Design, Build, and Implementation | Preventive | |
| Review and update the privacy architecture, as necessary. CC ID 14674 | Establish/Maintain Documentation | Preventive | |
| Convert workflow charts and diagrams into machine readable code. CC ID 14865 | Process or Activity | Preventive | |
| Implement software development version controls. CC ID 01098 [{acceptable use policy} Policies and instructions for acceptable use and safe handling of assets are documented, communicated and provided in accordance with SP-01 and address the following aspects of the asset lifecycle as applicable to the asset: Requirements for versions of software and images as well as application of patches; AM-02 ¶ 1 Bullet 5] | Systems Design, Build, and Implementation | Preventive | |
| Protect source code in accordance with organizational requirements. CC ID 16855 | Technical Security | Preventive | |
| Document the results of the source code analysis. CC ID 14310 | Process or Activity | Detective | |
| Digitally sign software components. CC ID 16490 | Process or Activity | Preventive | |
| Develop new products based on secure coding techniques. CC ID 11733 [{secure development} The policies and instructions contain guidelines for the entire life cycle of the cloud service and are based on recognised standards and methods with regard to the following aspects: Security in software deployment (including continuous delivery); and DEV-01 ¶ 2 Bullet 2] | Systems Design, Build, and Implementation | Preventive | |
| Protect applications from insufficient anti-automation through secure coding techniques in source code. CC ID 16854 | Technical Security | Preventive | |
| Protect applications from attacks on business logic through secure coding techniques in source code. CC ID 15472 | Systems Design, Build, and Implementation | Preventive | |
| Protect applications from format string attacks through secure coding techniques in source code. CC ID 17091 | Technical Security | Preventive | |
| Protect applications from XML external entities through secure coding techniques in source code. CC ID 14806 | Technical Security | Preventive | |
| Protect applications from insecure deserialization through secure coding techniques in source code. CC ID 14805 | Technical Security | Preventive | |
| Refrain from hard-coding security parameters in source code. CC ID 14917 | Systems Design, Build, and Implementation | Preventive | |
| Refrain from hard-coding authenticators in source code. CC ID 11829 | Technical Security | Preventive | |
| Refrain from hard-coding cryptographic keys in source code. CC ID 12307 | Technical Security | Preventive | |
| Protect applications from attacks on data and data structures through secure coding techniques in source code. CC ID 15482 | Systems Design, Build, and Implementation | Preventive | |
| Configure software development tools in accordance with organizational standards. CC ID 16387 | Configuration | Preventive | |
| Establish, implement, and maintain system testing procedures. CC ID 11744 [In the case of outsourced development of the cloud service (or individual system components), specifications regarding the following aspects are contractually agreed between the Cloud Service Provider and the outsourced development contractor: Acceptance testing of the quality of the services provided in accordance with the agreed functional and non-functional requirements; and DEV-02 ¶ 1 Bullet 2] | Establish/Maintain Documentation | Preventive | |
| Restrict production data from being used in the test environment. CC ID 01103 [Production environments are physically or logically separated from test or development environments to prevent unauthorised access to cloud customer data, the spread of malware, or changes to system components. Data contained in the production environments is not used in test or development environments in order not to compromise their confidentiality. DEV-10 ¶ 1] | Testing | Detective | |
| Review and test custom code to identify potential coding vulnerabilities. CC ID 01316 [The procedures for identifying such vulnerabilities are part of the software development process and, depending on a risk assessment, include the following activities: Code reviews by the Cloud Service Provider's subject matter experts; and PSS-02 ¶ 2 Bullet 3 The procedures for identifying such vulnerabilities also include annual code reviews or security penetration tests by qualified external third parties. PSS-02 ¶ 4] | Testing | Detective | |
| Disseminate and communicate the system testing procedures to interested personnel and affected parties. CC ID 15471 | Communicate | Preventive | |
| Initiate the System Development Life Cycle implementation phase. CC ID 06268 | Systems Design, Build, and Implementation | Preventive | |
| Plan and document the Certification and Accreditation process. CC ID 11767 [The Information Security Management System (ISMS) has a valid certification according to ISO/ IEC 27001 or ISO 27001 based on IT-Grundschutz. OIS-01 ¶ 3 To the extent applicable for the certification or attestation, the following information are provided: issuing organisation; and BC-06 ¶ 2 Bullet 2 To the extent applicable for the certification or attestation, the following information are provided: date of issuance; BC-06 ¶ 2 Bullet 1] | Establish/Maintain Documentation | Preventive | |
| Submit the information system's security authorization package to the appropriate stakeholders, as necessary. CC ID 13987 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain end user support communications. CC ID 06615 | Business Processes | Preventive | |
| Establish, implement, and maintain a vulnerability disclosure policy. CC ID 14934 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain vulnerability disclosure procedures. CC ID 16489 [{vulnerabilities} {assets} The online register is easily accessible to any cloud customer. The information contained therein forms a suitable basis for risk assessment and possible follow-up measures on the part of cloud users. PSS-03 ¶ 3] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate critical security updates to users. CC ID 14942 [{time frame} For each vulnerability, it is indicated whether software updates (e.g. patch, update) are available, when they will be rolled out and whether they will be deployed by the Cloud Service Provider, the cloud customer or both of them together. PSS-03 ¶ 4 {time frame} For each vulnerability, it is indicated whether software updates (e.g. patch, update) are available, when they will be rolled out and whether they will be deployed by the Cloud Service Provider, the cloud customer or both of them together. PSS-03 ¶ 4] | Communicate | Corrective | |
Technical security | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Technical security CC ID 00508 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain an access classification scheme. CC ID 00509 [{access classification scheme} {access rights management plan} A role and rights concept based on the business and security requirements of the Cloud Service Provider as well as a policy for managing user accounts and access rights for internal and external employees of the Cloud Service Provider and system components that have a role in automated authorisation processes of the Cloud Service Provider are documented, communicated and made available according to SP-01: IDM-01 ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Identify external requirements for customer access. CC ID 12736 | Technical Security | Detective | |
| Address and remediate external requirements for customer access. CC ID 12737 | Technical Security | Corrective | |
| Interpret and apply security requirements based upon the information classification of the system. CC ID 00003 [Ensure the protection of information in networks and the corresponding information processing systems Section 5.9 Objective Policies and instructions with technical and organisational safeguards in order to protect the transmission of data against unauthorised interception, manipulation, copying, modification, redirection or destruction are documented, communicated and provided according to SP-01. The policies and instructions establish a reference to the classification of information (cf. AM-06). COS-08 ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain security classifications for organizational assets. CC ID 00005 [Assets are classified and, if possible, labelled. Classification and labelling of an asset reflect the protection needs of the information it processes, stores, or transmits. AM-06 ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a digital identity management program. CC ID 13713 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain digital identification procedures. CC ID 13714 | Establish/Maintain Documentation | Preventive | |
| Implement digital identification processes. CC ID 13731 | Process or Activity | Preventive | |
| Implement identity proofing processes. CC ID 13719 | Process or Activity | Preventive | |
| Validate proof of identity during the identity proofing process. CC ID 13756 | Process or Activity | Detective | |
| Verify proof of identity records. CC ID 13761 [{competency} {integrity} To the extent permitted by law, the review will cover the following areas: Verification of the person through identity card; HR-01 ¶ 2 Bullet 1] | Investigate | Detective | |
| Refrain from using knowledge-based authentication to verify an individual's identity against more than one proof of identity during the identity proofing process. CC ID 13784 | Process or Activity | Detective | |
| Establish, implement, and maintain an access control program. CC ID 11702 [Access controls are supported by an access control system. PS-04 ¶ 2] | Establish/Maintain Documentation | Preventive | |
| Include instructions to change authenticators as often as necessary in the access control program. CC ID 11931 [If passwords are used as authentication information for the cloud service, their confidentiality is ensured by the following procedures: The user is informed about changing or resetting the password. PSS-07 ¶ 1 Bullet 3] | Establish/Maintain Documentation | Preventive | |
| Include guidance on selecting authentication credentials in the access control program. CC ID 11928 [The allocation of authentication information to access system components used to provide the cloud service to internal and external users of the cloud provider and system components that are involved in automated authorisation processes of the cloud provider is done in an orderly manner that ensures the confidentiality of the information. If passwords are used as authentication information, their confidentiality is ensured by the following procedures, as far as technically possible: Users can initially create the password themselves or must change an initial password when logging on to the system component for the first time. An initial password loses its validity after a maximum of 14 days. IDM-08 ¶ 1 Bullet 1 If passwords are used as authentication information for the cloud service, their confidentiality is ensured by the following procedures: Users can initially create the password themselves or must change an initial password when logging in to the cloud service for the first time. An initial password loses its validity after a maximum of 14 days. PSS-07 ¶ 1 Bullet 1] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain access control policies. CC ID 00512 | Establish/Maintain Documentation | Preventive | |
| Include compliance requirements in the access control policy. CC ID 14006 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the access control policy. CC ID 14005 | Establish/Maintain Documentation | Preventive | |
| Include management commitment in the access control policy. CC ID 14004 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the access control policy. CC ID 14003 [Access rights of internal and external employees of the Cloud Service Provider as well as of system components that play a role in automated authorisation processes of the Cloud Service Provider are reviewed at least once a year to ensure that they still correspond to the actual area of use. The review is carried out by authorised persons from the Cloud Service Provider's organisational units, who can assess the appropriateness of the assigned access rights based on their knowledge of the task areas of the employees or system components. Identified deviations will be dealt with promptly, but no later than 7 days after their detection, by appropriate modification or withdrawal of the access rights. IDM-05 ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Include the scope in the access control policy. CC ID 14002 | Establish/Maintain Documentation | Preventive | |
| Include the purpose in the access control policy. CC ID 14001 | Establish/Maintain Documentation | Preventive | |
| Document the business need justification for user accounts. CC ID 15490 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the access control policies to all interested personnel and affected parties. CC ID 10061 [{access classification scheme} {access rights management plan} A role and rights concept based on the business and security requirements of the Cloud Service Provider as well as a policy for managing user accounts and access rights for internal and external employees of the Cloud Service Provider and system components that have a role in automated authorisation processes of the Cloud Service Provider are documented, communicated and made available according to SP-01: IDM-01 ¶ 1 {access classification scheme} {access rights management plan} A role and rights concept based on the business and security requirements of the Cloud Service Provider as well as a policy for managing user accounts and access rights for internal and external employees of the Cloud Service Provider and system components that have a role in automated authorisation processes of the Cloud Service Provider are documented, communicated and made available according to SP-01: IDM-01 ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an access rights management plan. CC ID 00513 [{access classification scheme} {access rights management plan} A role and rights concept based on the business and security requirements of the Cloud Service Provider as well as a policy for managing user accounts and access rights for internal and external employees of the Cloud Service Provider and system components that have a role in automated authorisation processes of the Cloud Service Provider are documented, communicated and made available according to SP-01: IDM-01 ¶ 1 {access roles} {access rights} The type and scope of the information provided will be based on the needs of subject matter experts of the cloud customers who set information security requirements, implement them or verify the implementation (e.g. IT, Compliance, Internal Audit). The information in the guidelines and recommendations for the secure use of the cloud service address the following aspects, where applicable to the cloud service: Roles and rights concept including combinations that result in an elevated risk; and PSS-01 ¶ 2 Bullet 5 {access rights management plan} The Cloud Service Provider provides cloud users with a roles and rights concept for managing access rights. It describes rights profiles for the functions provided by the cloud service. PSS-08 ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Implement safeguards to protect access credentials from unauthorized access. CC ID 16433 | Technical Security | Preventive | |
| Inventory all user accounts. CC ID 13732 | Establish/Maintain Documentation | Preventive | |
| Review user accounts. CC ID 00525 [A role and rights concept based on the business and security requirements of the Cloud Service Provider as well as a policy for managing user accounts and access rights for internal and external employees of the Cloud Service Provider and system components that have a role in automated authorisation processes of the Cloud Service Provider are documented, communicated and made available according to SP-01: Regular review of assigned user accounts and access rights; IDM-01 ¶ 1 Bullet 6] | Technical Security | Detective | |
| Establish and maintain contact information for user accounts, as necessary. CC ID 15418 | Data and Information Management | Preventive | |
| Control access rights to organizational assets. CC ID 00004 | Technical Security | Preventive | |
| Configure access control lists in accordance with organizational standards. CC ID 16465 | Configuration | Preventive | |
| Define access needs for each role assigned to an information system. CC ID 12455 [{access rights management plan} The Cloud Service Provider provides cloud users with a roles and rights concept for managing access rights. It describes rights profiles for the functions provided by the cloud service. PSS-08 ¶ 1] | Human Resources Management | Preventive | |
| Establish access rights based on least privilege. CC ID 01411 [A role and rights concept based on the business and security requirements of the Cloud Service Provider as well as a policy for managing user accounts and access rights for internal and external employees of the Cloud Service Provider and system components that have a role in automated authorisation processes of the Cloud Service Provider are documented, communicated and made available according to SP-01: Granting and modifying user accounts and access rights based on the "least-privilege-principle" and the "need-to-know" principle; IDM-01 ¶ 1 Bullet 2 Privileged access rights are personalised, limited in time according to a risk assessment and assigned as necessary for the execution of tasks ("need-to-know principle"). Technical users are assigned to internal or external employees of the Cloud Service Provider. IDM-06 ¶ 2] | Technical Security | Preventive | |
| Assign user permissions based on job responsibilities. CC ID 00538 [Privileged access rights are personalised, limited in time according to a risk assessment and assigned as necessary for the execution of tasks ("need-to-know principle"). Technical users are assigned to internal or external employees of the Cloud Service Provider. IDM-06 ¶ 2] | Technical Security | Preventive | |
| Separate processing domains to segregate user privileges and enhance information flow control. CC ID 06767 [Data traffic of cloud customers in jointly used network environments is segregated on network level according to a documented concept to ensure the confidentiality and integrity of the data transmitted. COS-06 ¶ 1] | Configuration | Preventive | |
| Establish, implement, and maintain lockout procedures or lockout mechanisms to be triggered after a predetermined number of consecutive logon attempts. CC ID 01412 | Technical Security | Preventive | |
| Configure the lockout procedure to disregard failed logon attempts after the user is authenticated. CC ID 13822 | Configuration | Preventive | |
| Notify appropriate parties when the maximum number of unsuccessful logon attempts is exceeded. CC ID 17164 | Communicate | Preventive | |
| Notify the user when an authentication is attempted using an expired authenticator. CC ID 13818 | Communicate | Corrective | |
| Disallow unlocking user accounts absent system administrator approval. CC ID 01413 [User accounts of internal and external employees of the Cloud Service Provider as well as for system components involved in automated authorisation processes of the Cloud Service Provider are automatically locked if they have not been used for a period of two months. Approval from authorised personnel or system components are required to unlock these accounts. IDM-03 ¶ 1] | Technical Security | Preventive | |
| Establish session authenticity through Transport Layer Security. CC ID 01627 [{be inactive} To protect confidentiality, availability, integrity and authenticity during interactions with the cloud service, a suitable session management system is used that at least corresponds to the state- of-the-art and is protected against known attacks. Mechanisms are implemented that invalidate a session after it has been detected as inactive. The inactivity can be detected by time measurement. In this case, the time interval can be configured by the Cloud Service Provider or – if technically possible – by the cloud customer. PSS-06 ¶ 1 {be inactive} To protect confidentiality, availability, integrity and authenticity during interactions with the cloud service, a suitable session management system is used that at least corresponds to the state- of-the-art and is protected against known attacks. Mechanisms are implemented that invalidate a session after it has been detected as inactive. The inactivity can be detected by time measurement. In this case, the time interval can be configured by the Cloud Service Provider or – if technically possible – by the cloud customer. PSS-06 ¶ 1] | Technical Security | Preventive | |
| Configure the "tlsverify" argument to organizational standards. CC ID 14460 | Configuration | Preventive | |
| Configure the "tlscacert" argument to organizational standards. CC ID 14521 | Configuration | Preventive | |
| Configure the "tlscert" argument to organizational standards. CC ID 14520 | Configuration | Preventive | |
| Configure the "tlskey" argument to organizational standards. CC ID 14519 | Configuration | Preventive | |
| Enable access control for objects and users on each system. CC ID 04553 [Access to system components for logging and monitoring in the Cloud Service Provider's area of responsibility is restricted to authorised users. Changes to the configuration are made in accordance with the applicable policies (cf. DEV-03). OPS-16 ¶ 1 The Cloud Service Provider offers cloud customers a self-service with which they can independently assign and change user accounts and access rights. IDM-02 ¶ 2 Access to the functions provided by the cloud service is restricted by access controls (authorisation mechanisms) that verify whether users, IT components, or applications are authorised to perform certain actions. PSS-09 ¶ 1 {attribute-based access control} Access controls are attribute-based to enable granular and contextual checks against multiple attributes of a user, IT component, or application (e.g., role, location, authentication method). PSS-09 ¶ 3 If cloud customers operate virtual machines or containers with the cloud service, the Cloud Service Provider must ensure the following aspects: The cloud customer can restrict the selection of images of virtual machines or containers according to his specifications, so that users of this cloud customer can only launch the images or containers released according to these restrictions. PSS-11 ¶ 1 Bullet 1] | Configuration | Preventive | |
| Enable attribute-based access control for objects and users on information systems. CC ID 16351 | Technical Security | Preventive | |
| Enforce access restrictions for change control. CC ID 01428 [{access rights management plan} System components and tools for source code management and software deployment that are used to make changes to system components of the cloud service in the production environment are subject to a role and rights concept according to IDM-01 and authorisation mechanisms. They must be configured in such a way that all changes are logged and can therefore be traced back to the individuals or system components executing them. DEV-07 ¶ 1] | Technical Security | Preventive | |
| Establish, implement, and maintain a system use agreement for each information system. CC ID 06500 [{maintain} {confidentiality} The users sign a declaration in which they assure that they treat personal (or shared) authentication information confidentially and keep it exclusively for themselves (within the members of the group). IDM-08 ¶ 3] | Establish/Maintain Documentation | Preventive | |
| Establish and maintain a list of individuals authorized to perform privileged functions. CC ID 17005 | Establish/Maintain Documentation | Preventive | |
| Review all user privileges, as necessary. CC ID 06784 [A role and rights concept based on the business and security requirements of the Cloud Service Provider as well as a policy for managing user accounts and access rights for internal and external employees of the Cloud Service Provider and system components that have a role in automated authorisation processes of the Cloud Service Provider are documented, communicated and made available according to SP-01: Regular review of assigned user accounts and access rights; IDM-01 ¶ 1 Bullet 6 Privileged access rights are reviewed at least every six months. IDM-05 ¶ 2 Access rights of internal and external employees of the Cloud Service Provider as well as of system components that play a role in automated authorisation processes of the Cloud Service Provider are reviewed at least once a year to ensure that they still correspond to the actual area of use. The review is carried out by authorised persons from the Cloud Service Provider's organisational units, who can assess the appropriateness of the assigned access rights based on their knowledge of the task areas of the employees or system components. Identified deviations will be dealt with promptly, but no later than 7 days after their detection, by appropriate modification or withdrawal of the access rights. IDM-05 ¶ 1] | Technical Security | Preventive | |
| Review and update accounts and access rights when notified of personnel status changes. CC ID 00788 [Access rights are promptly revoked if the job responsibilities of the Cloud Service Provider's internal or external staff or the tasks of system components involved in the Cloud Service Provider's automated authorisation processes change. Privileged access rights are adjusted or revoked within 48 hours after the change taking effect. All other access rights are adjusted or revoked within 14 days. After revocation, the procedure for granting user accounts and access rights (cf. IDM-02) must be repeated. IDM-04 ¶ 1 Access rights are promptly revoked if the job responsibilities of the Cloud Service Provider's internal or external staff or the tasks of system components involved in the Cloud Service Provider's automated authorisation processes change. Privileged access rights are adjusted or revoked within 48 hours after the change taking effect. All other access rights are adjusted or revoked within 14 days. After revocation, the procedure for granting user accounts and access rights (cf. IDM-02) must be repeated. IDM-04 ¶ 1 A role and rights concept based on the business and security requirements of the Cloud Service Provider as well as a policy for managing user accounts and access rights for internal and external employees of the Cloud Service Provider and system components that have a role in automated authorisation processes of the Cloud Service Provider are documented, communicated and made available according to SP-01: Time-based or event-driven removal or adjustment of access rights in the event of changes to job responsibility; IDM-01 ¶ 1 Bullet 8] | Behavior | Corrective | |
| Establish, implement, and maintain User Access Management procedures. CC ID 00514 [{least privilege} The requirements for the access control system are documented, communicated and provided in a policy or concept in accordance with SP-01 and include the following aspects: Specified procedure for the granting and revoking of access authorisations (cf. IDM-02) based on the principle of least authorisation ("least-privilege-principle") and as necessary for the performance of tasks ("need-to-know- principle"); PS-04 ¶ 3 Bullet 1] | Technical Security | Preventive | |
| Control the addition and modification of user identifiers, user credentials, or other authenticators. CC ID 00515 [Access rights are promptly revoked if the job responsibilities of the Cloud Service Provider's internal or external staff or the tasks of system components involved in the Cloud Service Provider's automated authorisation processes change. Privileged access rights are adjusted or revoked within 48 hours after the change taking effect. All other access rights are adjusted or revoked within 14 days. After revocation, the procedure for granting user accounts and access rights (cf. IDM-02) must be repeated. IDM-04 ¶ 1 Privileged access rights for internal and external employees as well as technical users of the Cloud Service Provider are assigned and changed in accordance to the policy for managing user accounts and access rights (cf. IDM-01) or a separate specific policy. IDM-06 ¶ 1 {security-related information} The information is detailed enough to allow cloud users to check the following aspects, insofar as they are applicable to the cloud service: Changes to security-relevant configuration parameters, error handling and logging mechanisms, user authentication, action authorisation, cryptography, and communication security. PSS-04 ¶ 2 Bullet 3] | Technical Security | Preventive | |
| Refrain from storing logon credentials for third party applications. CC ID 13690 | Technical Security | Preventive | |
| Notify interested personnel when user accounts are added or deleted. CC ID 14327 | Communicate | Detective | |
| Remove inactive user accounts, as necessary. CC ID 00517 [{automated} The requirements for the access control system are documented, communicated and provided in a policy or concept in accordance with SP-01 and include the following aspects: Automatic revocation of access authorisations if they have not been used for a period of 2 month; PS-04 ¶ 3 Bullet 2 {automated} The requirements for the access control system are documented, communicated and provided in a policy or concept in accordance with SP-01 and include the following aspects: Automatic withdrawal of access authorisations if they have not been used for a period of 6 months; PS-04 ¶ 3 Bullet 3 A role and rights concept based on the business and security requirements of the Cloud Service Provider as well as a policy for managing user accounts and access rights for internal and external employees of the Cloud Service Provider and system components that have a role in automated authorisation processes of the Cloud Service Provider are documented, communicated and made available according to SP-01: Blocking and removing access accounts in the event of inactivity; IDM-01 ¶ 1 Bullet 7 Locked user accounts are automatically revoked after six months. After revocation, the procedure for granting user accounts and access rights (cf. IDM-02) must be repeated. IDM-03 ¶ 2] | Technical Security | Corrective | |
| Establish, implement, and maintain a password policy. CC ID 16346 [System components in the Cloud Service Provider's area of responsibility that are used to provide the cloud service, authenticate users of the Cloud Service Provider's internal and external employees as well as system components that are involved in the Cloud Service Provider's automated authorisation processes. Access to the production environment requires two-factor or multi-factor authentication. Within the production environment, user authentication takes place through passwords, digitally signed certificates or procedures that achieve at least an equivalent level of security. If digitally signed certificates are used, administration is carried out in accordance with the Guideline for Key Management (cf. CRY-01). The password requirements are derived from a risk assessment and documented, communicated and provided in a password policy according to SP-01. Compliance with the requirements is enforced by the configuration of the system components, as far as technically possible. IDM-09 ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Enforce the password policy. CC ID 16347 | Technical Security | Preventive | |
| Disseminate and communicate the password policies and password procedures to all users who have access to restricted data or restricted information. CC ID 00518 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain user accounts in accordance with the organizational Governance, Risk, and Compliance framework. CC ID 00526 [Locked user accounts are automatically revoked after six months. After revocation, the procedure for granting user accounts and access rights (cf. IDM-02) must be repeated. IDM-03 ¶ 2] | Technical Security | Preventive | |
| Maintain a log of the overrides of the biometric system. CC ID 17000 | Log Management | Preventive | |
| Establish, implement, and maintain biometric collection procedures. CC ID 15419 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain access control procedures. CC ID 11663 | Establish/Maintain Documentation | Preventive | |
| Implement out-of-band authentication, as necessary. CC ID 10606 [{authentication factor} The cloud service offers out-of-band authentication (OOB), in which the factors are transmitted via different channels (e.g. Internet and mobile network). PSS-05 ¶ 4] | Technical Security | Corrective | |
| Document approving and granting access in the access control log. CC ID 06786 [A role and rights concept based on the business and security requirements of the Cloud Service Provider as well as a policy for managing user accounts and access rights for internal and external employees of the Cloud Service Provider and system components that have a role in automated authorisation processes of the Cloud Service Provider are documented, communicated and made available according to SP-01: Approval by authorised individual(s) or system(s) for granting or modifying user accounts and access rights before data of the cloud customer or system components used to provision the cloud service can be accessed; IDM-01 ¶ 1 Bullet 5 A role and rights concept based on the business and security requirements of the Cloud Service Provider as well as a policy for managing user accounts and access rights for internal and external employees of the Cloud Service Provider and system components that have a role in automated authorisation processes of the Cloud Service Provider are documented, communicated and made available according to SP-01: Requirements for the approval and documentation of the management of user accounts and access rights. IDM-01 ¶ 1 Bullet 10] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the access control log to interested personnel and affected parties. CC ID 16442 | Communicate | Preventive | |
| Include the user identifiers of all personnel who are authorized to access a system in the system record. CC ID 15171 | Establish/Maintain Documentation | Preventive | |
| Include identity information of all personnel who are authorized to access a system in the system record. CC ID 16406 | Establish/Maintain Documentation | Preventive | |
| Include the user's location in the system record. CC ID 16996 | Log Management | Preventive | |
| Include the date and time that access was reviewed in the system record. CC ID 16416 | Data and Information Management | Preventive | |
| Include the date and time that access rights were changed in the system record. CC ID 16415 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the access control procedures to all interested personnel and affected parties. CC ID 14123 [The requirements for the access control system are documented, communicated and provided in a policy or concept in accordance with SP-01 and include the following aspects: PS-04 ¶ 3] | Communicate | Corrective | |
| Establish, implement, and maintain an identification and authentication policy. CC ID 14033 [Secure the authorisation and authentication of users of the Cloud Service Provider (typically privileged users) to prevent unauthorised access. Section 5.7 Objective] | Establish/Maintain Documentation | Preventive | |
| Include the purpose in the identification and authentication policy. CC ID 14234 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the identification and authentication policy. CC ID 14232 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the identification and authentication policy. CC ID 14230 | Establish/Maintain Documentation | Preventive | |
| Include management commitment in the identification and authentication policy. CC ID 14229 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the identification and authentication policy. CC ID 14227 | Establish/Maintain Documentation | Preventive | |
| Include compliance requirements in the identification and authentication policy. CC ID 14225 | Establish/Maintain Documentation | Preventive | |
| Establish the requirements for Authentication Assurance Levels. CC ID 16958 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the identification and authentication policy to interested personnel and affected parties. CC ID 14197 | Communicate | Preventive | |
| Establish, implement, and maintain identification and authentication procedures. CC ID 14053 [Between logging servers and the assets to be logged, authentication takes place to protect the integrity and authenticity of the information transmitted and stored. The transfer takes place using state-of-the-art encryption or a dedicated administration network (out-of-band management). OPS-14 ¶ 2 System components in the Cloud Service Provider's area of responsibility that are used to provide the cloud service, authenticate users of the Cloud Service Provider's internal and external employees as well as system components that are involved in the Cloud Service Provider's automated authorisation processes. Access to the production environment requires two-factor or multi-factor authentication. Within the production environment, user authentication takes place through passwords, digitally signed certificates or procedures that achieve at least an equivalent level of security. If digitally signed certificates are used, administration is carried out in accordance with the Guideline for Key Management (cf. CRY-01). The password requirements are derived from a risk assessment and documented, communicated and provided in a password policy according to SP-01. Compliance with the requirements is enforced by the configuration of the system components, as far as technically possible. IDM-09 ¶ 1 System components in the Cloud Service Provider's area of responsibility that are used to provide the cloud service, authenticate users of the Cloud Service Provider's internal and external employees as well as system components that are involved in the Cloud Service Provider's automated authorisation processes. Access to the production environment requires two-factor or multi-factor authentication. Within the production environment, user authentication takes place through passwords, digitally signed certificates or procedures that achieve at least an equivalent level of security. If digitally signed certificates are used, administration is carried out in accordance with the Guideline for Key Management (cf. CRY-01). The password requirements are derived from a risk assessment and documented, communicated and provided in a password policy according to SP-01. Compliance with the requirements is enforced by the configuration of the system components, as far as technically possible. IDM-09 ¶ 1 The type and scope of the information provided will be based on the needs of subject matter experts of the cloud customers who set information security requirements, implement them or verify the implementation (e.g. IT, Compliance, Internal Audit). The information in the guidelines and recommendations for the secure use of the cloud service address the following aspects, where applicable to the cloud service: Authentication mechanisms; PSS-01 ¶ 2 Bullet 4] | Establish/Maintain Documentation | Preventive | |
| Implement alternative authentication mechanisms when individuals cannot utilize primary authentication mechanisms. CC ID 17002 | Technical Security | Preventive | |
| Disseminate and communicate the identification and authentication procedures to interested personnel and affected parties. CC ID 14223 | Communicate | Preventive | |
| Include digital identification procedures in the access control program. CC ID 11841 | Technical Security | Preventive | |
| Employ unique identifiers. CC ID 01273 [A role and rights concept based on the business and security requirements of the Cloud Service Provider as well as a policy for managing user accounts and access rights for internal and external employees of the Cloud Service Provider and system components that have a role in automated authorisation processes of the Cloud Service Provider are documented, communicated and made available according to SP-01: Assignment of unique usernames; IDM-01 ¶ 1 Bullet 1] | Testing | Detective | |
| Disseminate and communicate user identifiers and authenticators using secure communication protocols. CC ID 06791 [The allocation of authentication information to access system components used to provide the cloud service to internal and external users of the cloud provider and system components that are involved in automated authorisation processes of the cloud provider is done in an orderly manner that ensures the confidentiality of the information. If passwords are used as authentication information, their confidentiality is ensured by the following procedures, as far as technically possible: IDM-08 ¶ 1] | Data and Information Management | Preventive | |
| Require proper authentication for user identifiers. CC ID 11785 | Technical Security | Preventive | |
| Assign authentication mechanisms for user account authentication. CC ID 06856 [The Cloud Service Provider provides authentication mechanisms that can force strong authentication (e.g. two or more factors) for users, IT components or applications within the cloud users' area of responsibility. PSS-05 ¶ 1] | Configuration | Preventive | |
| Require individuals to report lost or damaged authentication mechanisms. CC ID 17035 | Communicate | Preventive | |
| Establish and maintain a memorized secret list. CC ID 13791 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a secure enrollment process for biometric systems. CC ID 17007 | Process or Activity | Preventive | |
| Establish, implement, and maintain a fallback mechanism for when the biometric system fails. CC ID 17006 | Technical Security | Preventive | |
| Prevent the disclosure of the closeness of the biometric data during the biometric verification. CC ID 17003 | Technical Security | Preventive | |
| Notify a user when an authenticator for a user account is changed. CC ID 13820 [The allocation of authentication information to access system components used to provide the cloud service to internal and external users of the cloud provider and system components that are involved in automated authorisation processes of the cloud provider is done in an orderly manner that ensures the confidentiality of the information. If passwords are used as authentication information, their confidentiality is ensured by the following procedures, as far as technically possible: The user is informed about changing or resetting the password. IDM-08 ¶ 1 Bullet 3] | Communicate | Preventive | |
| Identify and control all network access controls. CC ID 00529 [{alternate} The cloud service can be accessed by other cloud services or IT systems of cloud customers through documented inbound and outbound interfaces. Further, the interfaces are clearly documented for subject matter experts on how they can be used to retrieve the data. PI-01 ¶ 1] | Technical Security | Preventive | |
| Place Intrusion Detection Systems and Intrusion Response Systems in network locations where they will be the most effective. CC ID 04589 [Based on the results of a risk analysis carried out according to OIS-06, the Cloud Service Provider has implemented technical safeguards which are suitable to promptly detect and respond to network-based attacks on the basis of irregular incoming or outgoing traffic patterns and/ or Distributed Denial of Service (DDoS) attacks. Data from corresponding technical protection measures implemented is fed into a comprehensive SIEM (Security Information and Event Management) system, so that (counter) measures regarding correlating events can be initiated. The safeguards are documented, communicated and provided in accordance with SP-01. COS-01 ¶ 1] | Technical Security | Detective | |
| Establish, implement, and maintain a network configuration standard. CC ID 00530 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain network segmentation requirements. CC ID 16380 [{trusted network} A distinction is made between trusted and untrusted networks. Based on a risk assessment, these are separated into different security zones for internal and external network areas (and DMZ, if applicable). Physical and virtualised network environments are designed and configured to restrict and monitor the established connection to trusted or untrusted networks according to the defined security requirements. COS-03 ¶ 1 Specific security requirements are designed, published and provided for establishing connections within the Cloud Service Provider's network. The security requirements define for the Cloud Service Provider's area of responsibility: in which cases the security zones are to be separated and in which cases cloud customers are to be logically or physically segregated; COS-02 ¶ 1 Bullet 1 Specific security requirements are designed, published and provided for establishing connections within the Cloud Service Provider's network. The security requirements define for the Cloud Service Provider's area of responsibility: how the data traffic for administration and monitoring is segregated from each on network level; COS-02 ¶ 1 Bullet 3] | Establish/Maintain Documentation | Preventive | |
| Enforce the network segmentation requirements. CC ID 16381 | Process or Activity | Preventive | |
| Protect system or device management and control planes from unwanted user plane traffic. CC ID 17063 | Technical Security | Preventive | |
| Ensure the data plane, control plane, and management plane have been segregated according to organizational standards. CC ID 16385 | Technical Security | Preventive | |
| Establish, implement, and maintain a network security policy. CC ID 06440 | Establish/Maintain Documentation | Preventive | |
| Include compliance requirements in the network security policy. CC ID 14205 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the network security policy. CC ID 14204 | Establish/Maintain Documentation | Preventive | |
| Include management commitment in the network security policy. CC ID 14203 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the network security policy. CC ID 14202 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the network security policy. CC ID 14201 | Establish/Maintain Documentation | Preventive | |
| Include the purpose in the network security policy. CC ID 14200 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the network security policy to interested personnel and affected parties. CC ID 14199 | Communicate | Preventive | |
| Establish, implement, and maintain system and communications protection procedures. CC ID 14052 [Specific security requirements are designed, published and provided for establishing connections within the Cloud Service Provider's network. The security requirements define for the Cloud Service Provider's area of responsibility: COS-02 ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the system and communications protection procedures to interested personnel and affected parties. CC ID 14206 [Specific security requirements are designed, published and provided for establishing connections within the Cloud Service Provider's network. The security requirements define for the Cloud Service Provider's area of responsibility: COS-02 ¶ 1] | Communicate | Preventive | |
| Include usage restrictions for Bluetooth in the wireless networking policy. CC ID 16443 | Establish/Maintain Documentation | Preventive | |
| Maintain up-to-date network diagrams. CC ID 00531 [{be up-to-date} The documentation of the logical structure of the network used to provision or operate the Cloud Service, is traceable and up-to-date, in order to avoid administrative errors during live operation and to ensure timely recovery in the event of malfunctions in accordance with contractual obligations. The documentation shows how the subnets are allocated and how the network is zoned and segmented. In addition, the geographical locations in which the cloud customers' data is stored are indicated. COS-07 ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Include the date of the most recent update on the network diagram. CC ID 14319 | Establish/Maintain Documentation | Preventive | |
| Include virtual systems in the network diagram. CC ID 16324 | Data and Information Management | Preventive | |
| Include the organization's name in the network diagram. CC ID 14318 | Establish/Maintain Documentation | Preventive | |
| Use a passive asset inventory discovery tool to identify assets when network mapping. CC ID 13735 | Process or Activity | Detective | |
| Include Internet Protocol addresses in the network diagram. CC ID 16244 | Establish/Maintain Documentation | Preventive | |
| Include Domain Name System names in the network diagram. CC ID 16240 | Establish/Maintain Documentation | Preventive | |
| Accept, by formal signature, the security implications of the network topology. CC ID 12323 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate network diagrams to interested personnel and affected parties. CC ID 13137 | Communicate | Preventive | |
| Use an active asset inventory discovery tool to identify sensitive information for data flow diagrams. CC ID 13737 | Process or Activity | Detective | |
| Establish, implement, and maintain a sensitive information inventory. CC ID 13736 | Establish/Maintain Documentation | Detective | |
| Include information flows to third parties in the data flow diagram. CC ID 13185 | Establish/Maintain Documentation | Preventive | |
| Document where data-at-rest and data in transit is encrypted on the data flow diagram. CC ID 16412 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the data flow diagrams to interested personnel and affected parties. CC ID 16407 | Communicate | Preventive | |
| Prevent the insertion of unauthorized network traffic into secure networks. CC ID 17050 | Technical Security | Preventive | |
| Prohibit systems from connecting directly to internal networks outside the demilitarized zone (DMZ). CC ID 16360 | Technical Security | Preventive | |
| Implement segregation of duties. CC ID 11843 [A role and rights concept based on the business and security requirements of the Cloud Service Provider as well as a policy for managing user accounts and access rights for internal and external employees of the Cloud Service Provider and system components that have a role in automated authorisation processes of the Cloud Service Provider are documented, communicated and made available according to SP-01: Segregation of duties between operational and monitoring functions ("Segregation of Duties"); IDM-01 ¶ 1 Bullet 3 The rights profiles are suitable for enabling cloud users to manage access authorisations and permissions in accordance with the principle of least-privilege and how it is necessary for the performance of tasks ("need-to-know principle") and to implement the principle of functional separation between operational and controlling functions ("separation of duties"). PSS-08 ¶ 2] | Technical Security | Preventive | |
| Establish, implement, and maintain a Boundary Defense program. CC ID 00544 [Each network perimeter is controlled by security gateways. The system access authorisation for cross-network access is based on a security assessment based on the requirements of the cloud customers. COS-04 ¶ 1 {be redundant} {be available} Each network perimeter is controlled by redundant and highly-available security gateways. COS-04 ¶ 2] | Establish/Maintain Documentation | Preventive | |
| Segregate systems in accordance with organizational standards. CC ID 12546 | Technical Security | Preventive | |
| Implement gateways between security domains. CC ID 16493 | Systems Design, Build, and Implementation | Preventive | |
| Implement resource-isolation mechanisms in organizational networks. CC ID 16438 | Technical Security | Preventive | |
| Prevent logical access to dedicated networks from outside the secure areas. CC ID 12310 | Technical Security | Preventive | |
| Restrict outbound network traffic out of the Demilitarized Zone. CC ID 16881 | Technical Security | Preventive | |
| Segregate applications and databases that contain restricted data or restricted information in an internal network zone. CC ID 01289 [Resources in the storage network are segmented by secure zoning (LUN binding and LUN masking). OPS-24 ¶ 2] | Data and Information Management | Preventive | |
| Establish, implement, and maintain a network access control standard. CC ID 00546 [Each network perimeter is controlled by security gateways. The system access authorisation for cross-network access is based on a security assessment based on the requirements of the cloud customers. COS-04 ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Employ firewalls to secure network connections between networks of different security categorizations. CC ID 16373 | Technical Security | Preventive | |
| Secure the network access control standard against unauthorized changes. CC ID 11920 | Establish/Maintain Documentation | Preventive | |
| Employ centralized management systems to configure and control networks, as necessary. CC ID 12540 [{dedicated network} There are separate networks for the administrative management of the infrastructure and for the operation of management consoles. These networks are logically or physically separated from the cloud customer's network and protected from unauthorised access by multi-factor authentication (cf. IDM-09). Networks used by the Cloud Service Provider to migrate or create virtual machines are also physically or logically separated from other networks. COS-05 ¶ 1] | Technical Security | Preventive | |
| Establish, implement, and maintain a firewall and router configuration standard. CC ID 00541 | Configuration | Preventive | |
| Include compensating controls implemented for insecure protocols in the firewall and router configuration standard. CC ID 11948 [{insecure protocol} At specified intervals, the business justification for using all services, protocols, and ports is reviewed. The review also includes the justifications for compensatory measures for the use of protocols that are considered insecure. COS-03 ¶ 4] | Establish/Maintain Documentation | Preventive | |
| Include network diagrams that identify connections between all subnets and wireless networks in the firewall and router configuration standard. CC ID 12434 [{be up-to-date} The documentation of the logical structure of the network used to provision or operate the Cloud Service, is traceable and up-to-date, in order to avoid administrative errors during live operation and to ensure timely recovery in the event of malfunctions in accordance with contractual obligations. The documentation shows how the subnets are allocated and how the network is zoned and segmented. In addition, the geographical locations in which the cloud customers' data is stored are indicated. COS-07 ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Include network diagrams that identify storage or processing locations of all restricted data in the firewall and router configuration standard. CC ID 12426 [{be up-to-date} The documentation of the logical structure of the network used to provision or operate the Cloud Service, is traceable and up-to-date, in order to avoid administrative errors during live operation and to ensure timely recovery in the event of malfunctions in accordance with contractual obligations. The documentation shows how the subnets are allocated and how the network is zoned and segmented. In addition, the geographical locations in which the cloud customers' data is stored are indicated. COS-07 ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Include a protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 00537 | Establish/Maintain Documentation | Preventive | |
| Configure network ports to organizational standards. CC ID 14007 | Configuration | Preventive | |
| Include approval of the protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 12547 [Specific security requirements are designed, published and provided for establishing connections within the Cloud Service Provider's network. The security requirements define for the Cloud Service Provider's area of responsibility: which communication relationships and which network and application protocols are permitted in each case; COS-02 ¶ 1 Bullet 2] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the protocols, ports, applications, and services list to interested personnel and affected parties. CC ID 17089 | Communicate | Preventive | |
| Protect data stored at external locations. CC ID 16333 | Data and Information Management | Preventive | |
| Establish, implement, and maintain packet filtering requirements. CC ID 16362 | Technical Security | Preventive | |
| Filter packets based on IPv6 header fields. CC ID 17048 | Technical Security | Preventive | |
| Configure firewall filtering to only permit established connections into the network. CC ID 12482 [{trusted network} A distinction is made between trusted and untrusted networks. Based on a risk assessment, these are separated into different security zones for internal and external network areas (and DMZ, if applicable). Physical and virtualised network environments are designed and configured to restrict and monitor the established connection to trusted or untrusted networks according to the defined security requirements. COS-03 ¶ 1] | Technical Security | Preventive | |
| Filter traffic at firewalls based on application layer attributes. CC ID 17054 | Technical Security | Preventive | |
| Configure network access and control points to organizational standards. CC ID 12442 [{alternate} The cloud service can be accessed by other cloud services or IT systems of cloud customers through documented inbound and outbound interfaces. Further, the interfaces are clearly documented for subject matter experts on how they can be used to retrieve the data. PI-01 ¶ 1 These authentication mechanisms are set up at all access points that allow users, IT components or applications to interact with the cloud service. PSS-05 ¶ 2] | Configuration | Detective | |
| Enforce information flow control. CC ID 11781 | Monitor and Evaluate Occurrences | Preventive | |
| Establish, implement, and maintain information flow control configuration standards. CC ID 01924 | Establish/Maintain Documentation | Preventive | |
| Configure network flow monitoring to organizational standards. CC ID 16364 [{trusted network} A distinction is made between trusted and untrusted networks. Based on a risk assessment, these are separated into different security zones for internal and external network areas (and DMZ, if applicable). Physical and virtualised network environments are designed and configured to restrict and monitor the established connection to trusted or untrusted networks according to the defined security requirements. COS-03 ¶ 1] | Configuration | Preventive | |
| Establish, implement, and maintain information flow control policies inside the system and between interconnected systems. CC ID 01410 [Policies and instructions with technical and organisational safeguards in order to protect the transmission of data against unauthorised interception, manipulation, copying, modification, redirection or destruction are documented, communicated and provided according to SP-01. The policies and instructions establish a reference to the classification of information (cf. AM-06). COS-08 ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a document printing policy. CC ID 14384 | Establish/Maintain Documentation | Preventive | |
| Include printing to personal printers during a continuity event in the document printing policy. CC ID 14396 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain information exchange procedures. CC ID 11782 | Establish/Maintain Documentation | Preventive | |
| Include the connected Information Technology assets in the information exchange procedures. CC ID 17025 | Establish/Maintain Documentation | Preventive | |
| Include connection termination procedures in the information exchange procedures. CC ID 17027 | Establish/Maintain Documentation | Preventive | |
| Include the data sensitivity levels in the information exchange procedures. CC ID 17024 | Establish/Maintain Documentation | Preventive | |
| Include communication requirements in the information exchange procedures. CC ID 17026 [Specific security requirements are designed, published and provided for establishing connections within the Cloud Service Provider's network. The security requirements define for the Cloud Service Provider's area of responsibility: which cross-network communication is allowed. COS-02 ¶ 1 Bullet 5] | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the information exchange procedures. CC ID 17023 | Establish/Maintain Documentation | Preventive | |
| Include contact information in the information exchange procedures. CC ID 17307 | Establish/Maintain Documentation | Preventive | |
| Include implementation procedures in the information exchange procedures. CC ID 17022 | Establish/Maintain Documentation | Preventive | |
| Include security controls in the information exchange procedures. CC ID 17021 | Establish/Maintain Documentation | Preventive | |
| Include testing procedures in the information exchange procedures. CC ID 17020 | Establish/Maintain Documentation | Preventive | |
| Include measurement criteria in the information exchange procedures. CC ID 17019 | Establish/Maintain Documentation | Preventive | |
| Include training requirements in the information exchange procedures. CC ID 17017 | Establish/Maintain Documentation | Preventive | |
| Test the information exchange procedures. CC ID 17115 | Testing | Preventive | |
| Perform content sanitization on data-in-transit. CC ID 16512 | Data and Information Management | Preventive | |
| Perform content conversion on data-in-transit. CC ID 16510 | Data and Information Management | Preventive | |
| Protect data from unauthorized access while transmitting between separate parts of the system. CC ID 16499 | Data and Information Management | Preventive | |
| Log issuers who send personal data in cleartext in the transfer audit log. CC ID 12312 | Log Management | Preventive | |
| Revoke membership in the allowlist, as necessary. CC ID 13827 | Establish/Maintain Documentation | Corrective | |
| Establish, implement, and maintain allowlists and denylists of web content. CC ID 15234 | Data and Information Management | Preventive | |
| Separate user functionality from system management functionality. CC ID 11858 [{dedicated network} There are separate networks for the administrative management of the infrastructure and for the operation of management consoles. These networks are logically or physically separated from the cloud customer's network and protected from unauthorised access by multi-factor authentication (cf. IDM-09). Networks used by the Cloud Service Provider to migrate or create virtual machines are also physically or logically separated from other networks. COS-05 ¶ 1] | Technical Security | Preventive | |
| Control remote administration in accordance with organizational standards. CC ID 04459 [{acceptable use policy} {remote management} Policies and instructions for acceptable use and safe handling of assets are documented, communicated and provided in accordance with SP-01 and address the following aspects of the asset lifecycle as applicable to the asset: Remote deactivation, deletion or blocking; AM-02 ¶ 1 Bullet 9] | Configuration | Preventive | |
| Implement multifactor authentication techniques. CC ID 00561 [The requirements for the access control system are documented, communicated and provided in a policy or concept in accordance with SP-01 and include the following aspects: Two-factor authentication for access to areas hosting system components that process cloud customer information; PS-04 ¶ 3 Bullet 4 Access to system components for logging and monitoring in the Cloud Service Provider's area of responsibility requires two-factor authentication. OPS-16 ¶ 2 System components in the Cloud Service Provider's area of responsibility that are used to provide the cloud service, authenticate users of the Cloud Service Provider's internal and external employees as well as system components that are involved in the Cloud Service Provider's automated authorisation processes. Access to the production environment requires two-factor or multi-factor authentication. Within the production environment, user authentication takes place through passwords, digitally signed certificates or procedures that achieve at least an equivalent level of security. If digitally signed certificates are used, administration is carried out in accordance with the Guideline for Key Management (cf. CRY-01). The password requirements are derived from a risk assessment and documented, communicated and provided in a password policy according to SP-01. Compliance with the requirements is enforced by the configuration of the system components, as far as technically possible. IDM-09 ¶ 1 Access to the non-production environment requires two-factor or multi-factor authentication. Within the non-production environment, users are authenticated using passwords, digitally signed certificates, or procedures that provide at least an equivalent level of security. IDM-09 ¶ 2 {dedicated network} There are separate networks for the administrative management of the infrastructure and for the operation of management consoles. These networks are logically or physically separated from the cloud customer's network and protected from unauthorised access by multi-factor authentication (cf. IDM-09). Networks used by the Cloud Service Provider to migrate or create virtual machines are also physically or logically separated from other networks. COS-05 ¶ 1 The Cloud Service Provider provides authentication mechanisms that can force strong authentication (e.g. two or more factors) for users, IT components or applications within the cloud users' area of responsibility. PSS-05 ¶ 1] | Configuration | Preventive | |
| Refrain from allowing individuals to self-enroll into multifactor authentication from untrusted devices. CC ID 17173 | Technical Security | Preventive | |
| Implement phishing-resistant multifactor authentication techniques. CC ID 16541 | Technical Security | Preventive | |
| Document and approve requests to bypass multifactor authentication. CC ID 15464 | Establish/Maintain Documentation | Preventive | |
| Manage the use of encryption controls and cryptographic controls. CC ID 00570 [{be appropriate} {be effective} Ensure appropriate and effective use of cryptography to protect the confidentiality, authenticity or integrity of information. Section 5.8 Objective {security-related information} The information is detailed enough to allow cloud users to check the following aspects, insofar as they are applicable to the cloud service: Changes to security-relevant configuration parameters, error handling and logging mechanisms, user authentication, action authorisation, cryptography, and communication security. PSS-04 ¶ 2 Bullet 3] | Technical Security | Preventive | |
| Comply with the encryption laws of the local country. CC ID 16377 | Business Processes | Preventive | |
| Employ cryptographic controls that comply with applicable requirements. CC ID 12491 [Policies and instructions with technical and organisational safeguards for encryption procedures and key management are documented, communicated and provided according to SP-01, in which the following aspects are described: Consideration of relevant legal and regulatory obligations and requirements. CRY-01 ¶ 1 Bullet 4] | Technical Security | Preventive | |
| Establish, implement, and maintain digital signatures. CC ID 13828 | Data and Information Management | Preventive | |
| Include the expiration date in digital signatures. CC ID 13833 | Data and Information Management | Preventive | |
| Include audience restrictions in digital signatures. CC ID 13834 | Data and Information Management | Preventive | |
| Include the subject in digital signatures. CC ID 13832 | Data and Information Management | Preventive | |
| Include the issuer in digital signatures. CC ID 13831 | Data and Information Management | Preventive | |
| Include identifiers in the digital signature. CC ID 13829 | Data and Information Management | Preventive | |
| Include monitoring procedures in the encryption management and cryptographic controls policy. CC ID 17207 | Establish/Maintain Documentation | Preventive | |
| Include mitigation measures in the encryption management and cryptographic controls policy. CC ID 17206 | Establish/Maintain Documentation | Preventive | |
| Digitally sign records and data, as necessary. CC ID 16507 | Data and Information Management | Preventive | |
| Decrypt restricted data for the minimum time required. CC ID 12308 | Data and Information Management | Preventive | |
| Decrypt personal data only on dedicated networks, not on public networks. CC ID 12309 | Data and Information Management | Preventive | |
| Disseminate and communicate the encryption management and cryptographic controls policy to all interested personnel and affected parties. CC ID 15476 | Communicate | Preventive | |
| Protect salt values and hash values in accordance with organizational standards. CC ID 16471 | Data and Information Management | Preventive | |
| Disseminate and communicate the encryption management procedures to all interested personnel and affected parties. CC ID 15477 [{technical safeguard} Policies and instructions with technical and organisational safeguards for encryption procedures and key management are documented, communicated and provided according to SP-01, in which the following aspects are described: CRY-01 ¶ 1] | Communicate | Preventive | |
| Establish, implement, and maintain encryption management procedures. CC ID 15475 | Establish/Maintain Documentation | Preventive | |
| Define and assign cryptographic, encryption and key management roles and responsibilities. CC ID 15470 | Establish Roles | Preventive | |
| Establish, implement, and maintain cryptographic key management procedures. CC ID 00571 [Procedures and technical safeguards for secure key management in the area of responsibility of the Cloud Service Provider include at least the following aspects: Changing or updating cryptographic keys including policies defining under which conditions and in which manner the changes and/or updates are to be realised; CRY-04 ¶ 1 Bullet 5] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate cryptographic key management procedures to interested personnel and affected parties. CC ID 13164 [{technical safeguard} Policies and instructions with technical and organisational safeguards for encryption procedures and key management are documented, communicated and provided according to SP-01, in which the following aspects are described: CRY-01 ¶ 1] | Communicate | Preventive | |
| Include recommended cryptographic key management procedures for cloud service providers in the cryptographic key management procedures. CC ID 13152 [Procedures and technical safeguards for secure key management in the area of responsibility of the Cloud Service Provider include at least the following aspects: If pre-shared keys are used, the specific provisions relating to the safe use of this procedure are specified separately. CRY-04 ¶ 1 Bullet 8] | Establish/Maintain Documentation | Preventive | |
| Include requesting cryptographic key types in the cryptographic key management procedures. CC ID 13151 [Procedures and technical safeguards for secure key management in the area of responsibility of the Cloud Service Provider include at least the following aspects: Secure storage of keys (separation of key management system from application and middleware level) including description of how authorised users get access; CRY-04 ¶ 1 Bullet 4] | Establish/Maintain Documentation | Preventive | |
| Include cryptographic key expiration in the cryptographic key management procedures. CC ID 17079 | Establish/Maintain Documentation | Preventive | |
| Generate strong cryptographic keys. CC ID 01299 [Policies and instructions with technical and organisational safeguards for encryption procedures and key management are documented, communicated and provided according to SP-01, in which the following aspects are described: Requirements for the secure generation, storage, archiving, retrieval, distribution, withdrawal and deletion of the keys; and CRY-01 ¶ 1 Bullet 3] | Data and Information Management | Preventive | |
| Generate unique cryptographic keys for each user. CC ID 12169 [{be different} Procedures and technical safeguards for secure key management in the area of responsibility of the Cloud Service Provider include at least the following aspects: Generation of keys for different cryptographic systems and applications; CRY-04 ¶ 1 Bullet 1] | Technical Security | Preventive | |
| Include the establishment of cryptographic keys in the cryptographic key management procedures. CC ID 06540 [Procedures and technical safeguards for secure key management in the area of responsibility of the Cloud Service Provider include at least the following aspects: Provisioning and activation of the keys; CRY-04 ¶ 1 Bullet 3] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate cryptographic keys securely. CC ID 01300 [Policies and instructions with technical and organisational safeguards for encryption procedures and key management are documented, communicated and provided according to SP-01, in which the following aspects are described: Requirements for the secure generation, storage, archiving, retrieval, distribution, withdrawal and deletion of the keys; and CRY-01 ¶ 1 Bullet 3 Procedures and technical safeguards for secure key management in the area of responsibility of the Cloud Service Provider include at least the following aspects: Provisioning and activation of the keys; CRY-04 ¶ 1 Bullet 3] | Data and Information Management | Preventive | |
| Store cryptographic keys securely. CC ID 01298 [Policies and instructions with technical and organisational safeguards for encryption procedures and key management are documented, communicated and provided according to SP-01, in which the following aspects are described: Requirements for the secure generation, storage, archiving, retrieval, distribution, withdrawal and deletion of the keys; and CRY-01 ¶ 1 Bullet 3 Procedures and technical safeguards for secure key management in the area of responsibility of the Cloud Service Provider include at least the following aspects: Secure storage of keys (separation of key management system from application and middleware level) including description of how authorised users get access; CRY-04 ¶ 1 Bullet 4] | Data and Information Management | Preventive | |
| Restrict access to cryptographic keys. CC ID 01297 [Policies and instructions with technical and organisational safeguards for encryption procedures and key management are documented, communicated and provided according to SP-01, in which the following aspects are described: Requirements for the secure generation, storage, archiving, retrieval, distribution, withdrawal and deletion of the keys; and CRY-01 ¶ 1 Bullet 3 The private keys used for encryption are known to the customer exclusively and without exception in accordance with applicable legal and regulatory obligations and requirements. CRY-03 ¶ 2 The Cloud Service Provider has established procedures and technical safeguards to encrypt cloud customers' data during storage. The private keys used for encryption are known only to the cloud customer in accordance with applicable legal and regulatory obligations and requirements. Exceptions follow a specified procedure. The procedures for the use of private keys, including any exceptions, must be contractually agreed with the cloud customer. CRY-03 ¶ 1] | Data and Information Management | Preventive | |
| Include offsite backups of cryptographic keys in the cryptographic key management procedures. CC ID 13127 | Establish/Maintain Documentation | Preventive | |
| Notify interested personnel and affected parties upon cryptographic key supersession. CC ID 17084 | Communicate | Preventive | |
| Destroy cryptographic keys promptly after the retention period. CC ID 01303 [Policies and instructions with technical and organisational safeguards for encryption procedures and key management are documented, communicated and provided according to SP-01, in which the following aspects are described: Requirements for the secure generation, storage, archiving, retrieval, distribution, withdrawal and deletion of the keys; and CRY-01 ¶ 1 Bullet 3] | Data and Information Management | Preventive | |
| Manage outdated cryptographic keys, compromised cryptographic keys, or revoked cryptographic keys. CC ID 06852 [Procedures and technical safeguards for secure key management in the area of responsibility of the Cloud Service Provider include at least the following aspects: Changing or updating cryptographic keys including policies defining under which conditions and in which manner the changes and/or updates are to be realised; CRY-04 ¶ 1 Bullet 5 Procedures and technical safeguards for secure key management in the area of responsibility of the Cloud Service Provider include at least the following aspects: Handling of compromised keys; CRY-04 ¶ 1 Bullet 6 Procedures and technical safeguards for secure key management in the area of responsibility of the Cloud Service Provider include at least the following aspects: Withdrawal and deletion of keys; and CRY-04 ¶ 1 Bullet 7] | Technical Security | Preventive | |
| Revoke old cryptographic keys or invalid cryptographic keys immediately. CC ID 01307 [Policies and instructions with technical and organisational safeguards for encryption procedures and key management are documented, communicated and provided according to SP-01, in which the following aspects are described: Requirements for the secure generation, storage, archiving, retrieval, distribution, withdrawal and deletion of the keys; and CRY-01 ¶ 1 Bullet 3] | Data and Information Management | Corrective | |
| Archive outdated cryptographic keys. CC ID 06884 [Policies and instructions with technical and organisational safeguards for encryption procedures and key management are documented, communicated and provided according to SP-01, in which the following aspects are described: Requirements for the secure generation, storage, archiving, retrieval, distribution, withdrawal and deletion of the keys; and CRY-01 ¶ 1 Bullet 3] | Data and Information Management | Preventive | |
| Establish, implement, and maintain requirements for Personal Identity Verification authentication certificates. CC ID 06587 [System components in the Cloud Service Provider's area of responsibility that are used to provide the cloud service, authenticate users of the Cloud Service Provider's internal and external employees as well as system components that are involved in the Cloud Service Provider's automated authorisation processes. Access to the production environment requires two-factor or multi-factor authentication. Within the production environment, user authentication takes place through passwords, digitally signed certificates or procedures that achieve at least an equivalent level of security. If digitally signed certificates are used, administration is carried out in accordance with the Guideline for Key Management (cf. CRY-01). The password requirements are derived from a risk assessment and documented, communicated and provided in a password policy according to SP-01. Compliance with the requirements is enforced by the configuration of the system components, as far as technically possible. IDM-09 ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Establish a Registration Authority to support the Public Key Infrastructure. CC ID 15725 | Establish Roles | Preventive | |
| Establish a Root Certification Authority to support the Public Key Infrastructure. CC ID 07084 | Technical Security | Preventive | |
| Include signing and issuing Public Key certificates in the Public Key certificate procedures. CC ID 11817 [Procedures and technical safeguards for secure key management in the area of responsibility of the Cloud Service Provider include at least the following aspects: Issuing and obtaining public-key certificates; CRY-04 ¶ 1 Bullet 2] | Establish/Maintain Documentation | Preventive | |
| Include access to issued Public Key certificates in the Public Key certificate procedures. CC ID 07086 [Procedures and technical safeguards for secure key management in the area of responsibility of the Cloud Service Provider include at least the following aspects: Issuing and obtaining public-key certificates; CRY-04 ¶ 1 Bullet 2] | Establish/Maintain Documentation | Preventive | |
| Use strong data encryption to transmit in scope data or in scope information, as necessary. CC ID 00564 [Between logging servers and the assets to be logged, authentication takes place to protect the integrity and authenticity of the information transmitted and stored. The transfer takes place using state-of-the-art encryption or a dedicated administration network (out-of-band management). OPS-14 ¶ 2 The Cloud Service Provider has established procedures and technical measures for strong encryption and authentication for the transmission of all data. CRY-02 ¶ 2 The Cloud Service Provider has established procedures and technical measures for strong encryption and authentication for the transmission of data of cloud customers over public networks. CRY-02 ¶ 1] | Technical Security | Preventive | |
| Ensure restricted data or restricted information are encrypted prior to or at the time of transmission. CC ID 01749 [{physical security measure} {be the same} The Cloud Service Provider transfers data to be backed up to a remote location or transports these on backup media to a remote location. If the data backup is transmitted to the remote location via a network, the data backup or the transmission of the data takes place in an encrypted form that corresponds to the state-of-the-art. The distance to the main site is chosen after sufficient consideration of the factors recovery times and impact of disasters on both sites. The physical and environmental security measures at the remote site are at the same level as at the main site. OPS-09 ¶ 1 {physical security measure} {be the same} The Cloud Service Provider transfers data to be backed up to a remote location or transports these on backup media to a remote location. If the data backup is transmitted to the remote location via a network, the data backup or the transmission of the data takes place in an encrypted form that corresponds to the state-of-the-art. The distance to the main site is chosen after sufficient consideration of the factors recovery times and impact of disasters on both sites. The physical and environmental security measures at the remote site are at the same level as at the main site. OPS-09 ¶ 1] | Configuration | Preventive | |
| Configure the encryption strength to be appropriate for the encryption methodology of the cryptographic controls. CC ID 12492 [Policies and instructions with technical and organisational safeguards for encryption procedures and key management are documented, communicated and provided according to SP-01, in which the following aspects are described: Usage of strong encryption procedures and secure network protocols that correspond to the state-of-the-art; CRY-01 ¶ 1 Bullet 1 {be risk-based} Policies and instructions with technical and organisational safeguards for encryption procedures and key management are documented, communicated and provided according to SP-01, in which the following aspects are described: Risk-based provisions for the use of encryption which are aligned with the information classification schemes (cf. AM-06) and consider the communication channel, type, strength and quality of the encryption; CRY-01 ¶ 1 Bullet 2] | Technical Security | Preventive | |
| Treat data messages that do not receive an acknowledgment as never been sent. CC ID 14416 | Technical Security | Preventive | |
| Establish, implement, and maintain a malicious code protection program. CC ID 00574 [{acceptable use policy} Policies and instructions for acceptable use and safe handling of assets are documented, communicated and provided in accordance with SP-01 and address the following aspects of the asset lifecycle as applicable to the asset: Protection against malware; AM-02 ¶ 1 Bullet 8] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the malicious code protection policy to all interested personnel and affected parties. CC ID 15485 | Communicate | Preventive | |
| Disseminate and communicate the malicious code protection procedures to all interested personnel and affected parties. CC ID 15484 [Policies and instructions with specifications for protection against malware are documented, communicated, and provided in accordance with SP-01 with respect to the following aspects: Operating protection programs on system components under the responsibility of the Cloud Service Provider that are used to provide the cloud service in the production environment; and OPS-04 ¶ 1 Bullet 2 Policies and instructions with specifications for protection against malware are documented, communicated, and provided in accordance with SP-01 with respect to the following aspects: Use of system-specific protection mechanisms; OPS-04 ¶ 1 Bullet 1 Policies and instructions with specifications for protection against malware are documented, communicated, and provided in accordance with SP-01 with respect to the following aspects: Operation of protection programs for employees' terminal equipment. OPS-04 ¶ 1 Bullet 3] | Communicate | Preventive | |
| Establish, implement, and maintain malicious code protection procedures. CC ID 15483 [Ensure proper and regular operation, including appropriate measures for planning and monitoring capacity, protection against malware, logging and monitoring events, and dealing with vulnerabilities, malfunctions and failures. Section 5.6 Objective Policies and instructions with specifications for protection against malware are documented, communicated, and provided in accordance with SP-01 with respect to the following aspects: OPS-04 ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a malicious code protection policy. CC ID 15478 | Establish/Maintain Documentation | Preventive | |
| Install security and protection software, as necessary. CC ID 00575 [System components under the Cloud Service Provider's responsibility that are used to deploy the cloud service in the production environment are configured with malware protection according to the policies and instructions. If protection programs are set up with signature and behaviour-based malware detection and removal, these protection programs are updated at least daily. OPS-05 ¶ 1] | Configuration | Preventive | |
| Install and maintain container security solutions. CC ID 16178 | Technical Security | Preventive | |
| Remove malware when malicious code is discovered. CC ID 13691 | Process or Activity | Corrective | |
| Notify interested personnel and affected parties when malware is detected. CC ID 13689 | Communicate | Corrective | |
| Protect systems and devices from fragmentation based attacks and anomalies. CC ID 17058 | Technical Security | Preventive | |
| Define and assign roles and responsibilities for malicious code protection. CC ID 15474 | Establish Roles | Preventive | |
| Establish, implement, and maintain a virtual environment and shared resources security program. CC ID 06551 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain procedures for provisioning shared resources. CC ID 12181 [The contract between the Cloud Service Provider and the cloud customer regulates which data is made available to the cloud customer for his own analysis in the event of security incidents. SIM-03 ¶ 4 The Cloud Service Provider grants its cloud customers contractually guaranteed information and audit rights. COM-02 ¶ 2] | Establish/Maintain Documentation | Preventive | |
| Employ an open virtualization format for provisioning software for virtual machines, as necessary. CC ID 12356 | Configuration | Preventive | |
| Employ resource-isolation mechanisms in virtual environments. CC ID 12178 [{shared resource} Cloud customer data stored and processed on shared virtual and physical resources is securely and strictly separated according to a documented approach based on OIS-07 risk analysis to ensure the confidentiality and integrity of this data. OPS-24 ¶ 1] | Configuration | Preventive | |
| Sanitize customer data from all shared resources upon agreement termination. CC ID 12175 [{alternate} Enable the ability to access the cloud service via other cloud services or IT systems of the cloud customers, to obtain the stored data at the end of the contractual relationship and to securely delete it from the Cloud Service Provider. Section 5.10 Objective] | Records Management | Preventive | |
| Return all unstructured data from all shared resources upon agreement termination. CC ID 12336 [{alternate} Enable the ability to access the cloud service via other cloud services or IT systems of the cloud customers, to obtain the stored data at the end of the contractual relationship and to securely delete it from the Cloud Service Provider. Section 5.10 Objective] | Business Processes | Preventive | |
| Remove data remnants in terminated Virtual Machines. CC ID 12168 | Technical Security | Corrective | |
Third Party and supply chain oversight | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Third Party and supply chain oversight CC ID 08807 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a supply chain management program. CC ID 11742 [Policies and instructions for controlling and monitoring third parties (e.g. service providers or suppliers) whose services contribute to the provision of the cloud service are documented, communicated and provided in accordance with SP-01 with respect to the following aspects: SSO-01 ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Terminate supplier relationships, as necessary. CC ID 13489 | Business Processes | Corrective | |
| Establish, implement, and maintain an exit plan. CC ID 15492 [The Cloud Service Provider has defined and documented exit strategies for the purchase of services where the risk assessment of the service providers and suppliers regarding the scope, complexity and uniqueness of the purchased service resulted in a very high dependency (cf. Supplementary Information). SSO-05 ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the exit plan. CC ID 15497 | Establish/Maintain Documentation | Preventive | |
| Test the exit plan, as necessary. CC ID 15495 | Testing | Preventive | |
| Include contingency plans in the third party management plan. CC ID 10030 | Establish/Maintain Documentation | Preventive | |
| Refrain from placing excessive reliance on third parties that provide support for service continuity. CC ID 12768 [Exit strategies are aligned with operational continuity plans and include the following aspects: SSO-05 ¶ 2] | Systems Continuity | Preventive | |
| Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 [{nondisclosure agreement} The requirements must be documented and reviewed at regular intervals (at least annually). If the review shows that the requirements need to be adapted, the non-disclosure or confidentiality agreements are updated. HR-06 ¶ 3 The agreements are to be accepted by external service providers and suppliers when the contract is agreed. The agreements must be accepted by internal employees of the Cloud Service Provider before authorisation to access data of cloud customers is granted. HR-06 ¶ 2] | Process or Activity | Detective | |
| Write contractual agreements in clear and conspicuous language. CC ID 16923 | Acquisition/Sale of Assets or Services | Preventive | |
| Establish, implement, and maintain software exchange agreements with all third parties. CC ID 11615 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain rules of engagement with third parties. CC ID 13994 | Establish/Maintain Documentation | Preventive | |
| Include the purpose in the information flow agreement. CC ID 17016 | Establish/Maintain Documentation | Preventive | |
| Include the type of information being transmitted in the information flow agreement. CC ID 14245 | Establish/Maintain Documentation | Preventive | |
| Include the costs in the information flow agreement. CC ID 17018 | Establish/Maintain Documentation | Preventive | |
| Include the security requirements in the information flow agreement. CC ID 14244 | Establish/Maintain Documentation | Preventive | |
| Include the interface characteristics in the information flow agreement. CC ID 14240 | Establish/Maintain Documentation | Preventive | |
| Include text about participation in the organization's testing programs in third party contracts. CC ID 14402 [{change} The type and scope of the tests correspond to the risk assessment. The tests are carried out by appropriately qualified personnel of the Cloud Service Provider or by automated test procedures that comply with the state-of-the-art. Cloud customers are involved into the tests in accordance with the contractual requirements. DEV-06 ¶ 2] | Establish/Maintain Documentation | Preventive | |
| Include the contract duration in third party contracts. CC ID 16221 | Establish/Maintain Documentation | Preventive | |
| Include cryptographic keys in third party contracts. CC ID 16179 | Establish/Maintain Documentation | Preventive | |
| Include bankruptcy provisions in third party contracts. CC ID 16519 | Establish/Maintain Documentation | Preventive | |
| Include cybersecurity supply chain risk management requirements in third party contracts. CC ID 15646 | Establish/Maintain Documentation | Preventive | |
| Include requirements to cooperate with competent authorities in third party contracts. CC ID 17186 | Establish/Maintain Documentation | Preventive | |
| Include text that organizations must meet organizational compliance requirements in third party contracts. CC ID 06506 [Policies and instructions for controlling and monitoring third parties (e.g. service providers or suppliers) whose services contribute to the provision of the cloud service are documented, communicated and provided in accordance with SP-01 with respect to the following aspects: applicable legal and regulatory requirements; SSO-01 ¶ 1 Bullet 5] | Establish/Maintain Documentation | Preventive | |
| Include compliance with the organization's monitoring policies as a requirement in third party contracts. CC ID 06513 [Monitoring includes a regular review of the following evidence to the extent that such evidence is to be provided by third parties in accordance with the contractual agreements: Records of the third parties on the handling of vulnerabilities, security incidents and malfunctions. SSO-04 ¶ 2 Bullet 4] | Establish/Maintain Documentation | Preventive | |
| Include compliance with the organization's data usage policies in third party contracts. CC ID 16413 | Establish/Maintain Documentation | Preventive | |
| Include a reporting structure in third party contracts. CC ID 06532 | Establish/Maintain Documentation | Preventive | |
| Include financial reporting in third party contracts, as necessary. CC ID 13573 | Establish/Maintain Documentation | Preventive | |
| Include reporting to the organization of third party audit findings in third party contracts. CC ID 06512 [Monitoring includes a regular review of the following evidence to the extent that such evidence is to be provided by third parties in accordance with the contractual agreements: independent third-party reports on the suitability and operating effectiveness of their service-related internal control systems; and SSO-04 ¶ 2 Bullet 3] | Establish/Maintain Documentation | Preventive | |
| Include on-site visits in third party contracts. CC ID 17306 | Establish/Maintain Documentation | Preventive | |
| Include training requirements in third party contracts. CC ID 16367 | Acquisition/Sale of Assets or Services | Preventive | |
| Include text that subcontractors must meet organizational compliance requirements in third party contracts. CC ID 06522 [Policies and instructions for controlling and monitoring third parties (e.g. service providers or suppliers) whose services contribute to the provision of the cloud service are documented, communicated and provided in accordance with SP-01 with respect to the following aspects: Specifications for applying these requirements also to service providers used by the third parties, insofar as the services provided by these service providers also contribute to the provision of the cloud service. SSO-01 ¶ 1 Bullet 9] | Establish/Maintain Documentation | Preventive | |
| Include change control notification processes in third party contracts. CC ID 06524 [In accordance with the contractual agreements, meaningful information about the occasion, time, duration, type and scope of the change is submitted to authorised bodies of the cloud customer so that they can carry out their own risk assessment before the change is made available in the production environment. Regardless of the contractual agreements, this is done for changes that have the highest risk category based on their risk assessment. DEV-05 ¶ 2] | Establish/Maintain Documentation | Preventive | |
| Include location requirements in third party contracts. CC ID 16915 [The cloud customer is able to specify the locations (location/country) of the data processing and storage including data backups according to the contractually available options. PSS-12 ¶ 1] | Acquisition/Sale of Assets or Services | Preventive | |
| Include the dispute resolution body's contact information in the terms and conditions in third party contracts. CC ID 13813 | Establish/Maintain Documentation | Preventive | |
| Include a termination provision clause in third party contracts. CC ID 01367 | Establish/Maintain Documentation | Detective | |
| Include termination costs in third party contracts. CC ID 10023 [Exit strategies are aligned with operational continuity plans and include the following aspects: Analysis of the potential costs, impacts, resources and timing of the transition of a purchased service to an alternative service provider or supplier; SSO-05 ¶ 2 Bullet 1] | Establish/Maintain Documentation | Preventive | |
| Include incident management procedures and incident reporting procedures in third party contracts. CC ID 01214 [In contractual agreements (e.g. service description), the Cloud Service Provider provides comprehensible, binding and transparent information on: Categorisation and Prioritisation of incidents; BC-02 ¶ 1 Bullet 2 In contractual agreements (e.g. service description), the Cloud Service Provider provides comprehensible, binding and transparent information on: Response times for disruptions of regular operation according to the categorisation (time elapsed between the reporting and the resolution of the disruption by the Cloud Service Provider); BC-02 ¶ 1 Bullet 3 Policies and instructions for controlling and monitoring third parties (e.g. service providers or suppliers) whose services contribute to the provision of the cloud service are documented, communicated and provided in accordance with SP-01 with respect to the following aspects: Requirements for dealing with vulnerabilities, security incidents and malfunctions; SSO-01 ¶ 1 Bullet 6 Policies and instructions for controlling and monitoring third parties (e.g. service providers or suppliers) whose services contribute to the provision of the cloud service are documented, communicated and provided in accordance with SP-01 with respect to the following aspects: Requirements for dealing with vulnerabilities, security incidents and malfunctions; SSO-01 ¶ 1 Bullet 6] | Establish/Maintain Documentation | Preventive | |
| Include a usage limitation of restricted data clause in third party contracts. CC ID 13026 | Establish/Maintain Documentation | Preventive | |
| Include end-of-life information in third party contracts. CC ID 15265 | Establish/Maintain Documentation | Preventive | |
| Include third party acknowledgment of their data protection responsibilities in third party contracts. CC ID 01364 [Policies and instructions for controlling and monitoring third parties (e.g. service providers or suppliers) whose services contribute to the provision of the cloud service are documented, communicated and provided in accordance with SP-01 with respect to the following aspects: Information security requirements for the processing, storage or transmission of information by third parties based on recognised industry standards; SSO-01 ¶ 1 Bullet 3] | Testing | Detective | |
| Include auditing third party security controls and compliance controls in third party contracts. CC ID 01366 [{independent audit report} {internal control system} The reports include the complementary subservice organisations that are required, together with the controls of the Cloud Service Provider, to meet the applicable basic criteria of BSI C5 with reasonable assurance. SSO-01 ¶ 3] | Testing | Detective | |
| Approve or deny third party recovery plans, as necessary. CC ID 17124 | Systems Continuity | Preventive | |
| Review third party recovery plans. CC ID 17123 | Systems Continuity | Detective | |
| Disseminate and communicate third party contracts to interested personnel and affected parties. CC ID 17301 | Communicate | Preventive | |
| Document the organization's supply chain in the supply chain management program. CC ID 09958 | Establish/Maintain Documentation | Preventive | |
| Document supply chain dependencies in the supply chain management program. CC ID 08900 [Interfaces and dependencies between cloud service delivery activities performed by the Cloud Service Provider and activities performed by third parties are documented and communicated. This includes dealing with the following events: OIS-03 ¶ 1 Policies and instructions to determine the impact of any malfunction to the cloud service or enterprise are documented, communicated and made available in accordance with SP-01. The following aspects are considered as minimum: Identify dependencies, including processes (including resources required), applications, business partners and third parties; BCM-02 ¶ 1 Bullet 3] | Establish/Maintain Documentation | Detective | |
| Establish and maintain a Third Party Service Provider list. CC ID 12480 [{directory} {service provider} The information in the list is checked at least annually for completeness, accuracy and validity. SSO-03 ¶ 2 The Cloud Service Provider maintains a directory for controlling and monitoring the service providers and suppliers who contribute services to the delivery of the cloud service. The following information is maintained in the directory: SSO-03 ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Include required information in the Third Party Service Provider list. CC ID 14429 | Establish/Maintain Documentation | Preventive | |
| Include the organization's name in the Third Party Service Provider list. CC ID 17287 [The Cloud Service Provider maintains a directory for controlling and monitoring the service providers and suppliers who contribute services to the delivery of the cloud service. The following information is maintained in the directory: Company name; SSO-03 ¶ 1 Bullet 1] | Data and Information Management | Preventive | |
| Include disclosure requirements in the Third Party Service Provider list. CC ID 17189 | Establish/Maintain Documentation | Preventive | |
| Include storage locations in the Third Party Service Provider list. CC ID 17184 [The Cloud Service Provider maintains a directory for controlling and monitoring the service providers and suppliers who contribute services to the delivery of the cloud service. The following information is maintained in the directory: Locations of data processing and storage; SSO-03 ¶ 1 Bullet 3] | Establish/Maintain Documentation | Preventive | |
| Include the processing location in the Third Party Service Provider list. CC ID 17183 [The Cloud Service Provider maintains a directory for controlling and monitoring the service providers and suppliers who contribute services to the delivery of the cloud service. The following information is maintained in the directory: Locations of data processing and storage; SSO-03 ¶ 1 Bullet 3] | Establish/Maintain Documentation | Preventive | |
| Include the transferability of services in the Third Party Service Provider list. CC ID 17185 | Establish/Maintain Documentation | Preventive | |
| Include subcontractors in the Third Party Service Provider list. CC ID 14425 [In the system description and the contractual agreements (e.g. service description), the Cloud Service Provider clearly provides comprehensible and transparent information on: System component locations, including its subcontractors, where the cloud customer's data is processed, stored and backed up. BC-01 ¶ 1 Bullet 2] | Establish/Maintain Documentation | Preventive | |
| Include alternate service providers in the Third Party Service Provider list. CC ID 14420 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the Third Party Service Provider list to interested personnel and affected parties. CC ID 14422 | Communicate | Preventive | |
| Include contact information of the Service Provider in the Third Party Service Provider list. CC ID 14430 [The Cloud Service Provider maintains a directory for controlling and monitoring the service providers and suppliers who contribute services to the delivery of the cloud service. The following information is maintained in the directory: Address; SSO-03 ¶ 1 Bullet 2 The Cloud Service Provider maintains a directory for controlling and monitoring the service providers and suppliers who contribute services to the delivery of the cloud service. The following information is maintained in the directory: Responsible contact person at the service provider/supplier; SSO-03 ¶ 1 Bullet 4 The Cloud Service Provider maintains a directory for controlling and monitoring the service providers and suppliers who contribute services to the delivery of the cloud service. The following information is maintained in the directory: Responsible contact person at the cloud service provider; SSO-03 ¶ 1 Bullet 5] | Establish/Maintain Documentation | Preventive | |
| Include all contract dates in the Third Party Service Provider list. CC ID 14421 [The Cloud Service Provider maintains a directory for controlling and monitoring the service providers and suppliers who contribute services to the delivery of the cloud service. The following information is maintained in the directory: Beginning of service usage; and SSO-03 ¶ 1 Bullet 8] | Establish/Maintain Documentation | Preventive | |
| Include the services provided by each supplier in the Third Party Service Provider list. CC ID 12481 [The Cloud Service Provider maintains a directory for controlling and monitoring the service providers and suppliers who contribute services to the delivery of the cloud service. The following information is maintained in the directory: Description of the service; SSO-03 ¶ 1 Bullet 6] | Establish/Maintain Documentation | Preventive | |
| Include criticality of services in the Third Party Service Provider list. CC ID 14428 | Establish/Maintain Documentation | Preventive | |
| Include a description of data used in the Third Party Service Provider list. CC ID 14427 | Establish/Maintain Documentation | Preventive | |
| Include the location of services provided in the Third Party Service Provider list. CC ID 14423 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain supply chain manufacturing and integration requirements documents for all items being produced for the organization. CC ID 11558 | Establish/Maintain Documentation | Preventive | |
| Document all chargeable items in Service Level Agreements. CC ID 00844 | Establish/Maintain Documentation | Detective | |
| Categorize all suppliers in the supply chain management program. CC ID 00792 [Policies and instructions for controlling and monitoring third parties (e.g. service providers or suppliers) whose services contribute to the provision of the cloud service are documented, communicated and provided in accordance with SP-01 with respect to the following aspects: Requirements for the classification of third parties based on the risk assessment by the Cloud Service Provider and the determination of whether the third party is a subcontractor (cf. Supplementary Information); SSO-01 ¶ 1 Bullet 2 The Cloud Service Provider maintains a directory for controlling and monitoring the service providers and suppliers who contribute services to the delivery of the cloud service. The following information is maintained in the directory: Classification based on the risk assessment; SSO-03 ¶ 1 Bullet 7] | Establish/Maintain Documentation | Preventive | |
| Include risk management procedures in the supply chain management policy. CC ID 08811 [Policies and instructions for controlling and monitoring third parties (e.g. service providers or suppliers) whose services contribute to the provision of the cloud service are documented, communicated and provided in accordance with SP-01 with respect to the following aspects: Requirements for the assessment of risks resulting from the procurement of third-party services; SSO-01 ¶ 1 Bullet 1] | Establish/Maintain Documentation | Preventive | |
| Perform risk assessments of third parties, as necessary. CC ID 06454 [Service providers and suppliers of the Cloud Service Provider undergo a risk assessment in accordance with the policies and instructions for the control and monitoring of third parties prior to contributing to the delivery of the cloud service. The adequacy of the risk assessment is reviewed regularly, at least annually, by qualified personnel of the Cloud Service Provider during service usage. SSO-02 ¶ 1 The frequency of the monitoring corresponds to the classification of the third party based on the risk assessment conducted by the Cloud Service Provider (cf. SSO-02). The results of the monitoring are included in the review of the third party's risk assessment. SSO-04 ¶ 3] | Testing | Detective | |
| Include a determination on the impact of services provided by third-party service providers in the supply chain risk assessment report. CC ID 17187 [The risk assessment includes the identification, analysis, evaluation, handling and documentation of risks with regard to the following aspects: The Cloud Service Provider's dependence on the service provider or supplier for the scope, complexity and uniqueness of the service purchased, including the consideration of possible alternatives. SSO-02 ¶ 2 Bullet 3 The risk assessment includes the identification, analysis, evaluation, handling and documentation of risks with regard to the following aspects: The Cloud Service Provider's dependence on the service provider or supplier for the scope, complexity and uniqueness of the service purchased, including the consideration of possible alternatives. SSO-02 ¶ 2 Bullet 3] | Establish/Maintain Documentation | Preventive | |
| Re-evaluate risk assessments of third parties, as necessary. CC ID 12158 [Service providers and suppliers of the Cloud Service Provider undergo a risk assessment in accordance with the policies and instructions for the control and monitoring of third parties prior to contributing to the delivery of the cloud service. The adequacy of the risk assessment is reviewed regularly, at least annually, by qualified personnel of the Cloud Service Provider during service usage. SSO-02 ¶ 1] | Audits and Risk Management | Detective | |
| Require third parties to employ a Chief Information Security Officer. CC ID 12057 | Human Resources Management | Preventive | |
| Include the third party selection process in the supply chain management policy. CC ID 13132 | Establish/Maintain Documentation | Preventive | |
| Include refraining from depending on any individual third party in the supply chain management policy. CC ID 13133 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the supply chain management policy. CC ID 15499 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the supply chain management policy to all interested personnel and affected parties. CC ID 15493 | Communicate | Preventive | |
| Assess third parties' compliance environment during due diligence. CC ID 13134 | Process or Activity | Detective | |
| Request attestation of compliance from third parties. CC ID 12067 [The Cloud Service Provider maintains a directory for controlling and monitoring the service providers and suppliers who contribute services to the delivery of the cloud service. The following information is maintained in the directory: Proof of compliance with contractually agreed requirements. SSO-03 ¶ 1 Bullet 9 Monitoring includes a regular review of the following evidence to the extent that such evidence is to be provided by third parties in accordance with the contractual agreements: SSO-04 ¶ 2] | Establish/Maintain Documentation | Detective | |
| Require individual attestations of compliance from each location a third party operates in. CC ID 12228 | Business Processes | Preventive | |
| Validate the third parties' compliance to organizationally mandated compliance requirements. CC ID 08819 [Monitoring includes a regular review of the following evidence to the extent that such evidence is to be provided by third parties in accordance with the contractual agreements: certificates of the management systems' compliance with international standards; SSO-04 ¶ 2 Bullet 2] | Business Processes | Preventive | |
| Establish, implement, and maintain third party reporting requirements. CC ID 13289 [Subservice organisations of the Cloud Service Provider are contractually obliged to provide regular reports by independent auditors on the suitability of the design and operating effectiveness of their service-related internal control system. SSO-01 ¶ 2] | Establish/Maintain Documentation | Preventive | |
| Define timeliness factors for third party reporting requirements. CC ID 13304 | Establish/Maintain Documentation | Preventive | |
| Assess the effectiveness of third party services provided to the organization. CC ID 13142 | Business Processes | Detective | |
| Monitor third parties for performance and effectiveness, as necessary. CC ID 00799 [Monitoring includes a regular review of the following evidence to the extent that such evidence is to be provided by third parties in accordance with the contractual agreements: reports on the quality of the service provided; SSO-04 ¶ 2 Bullet 1 The frequency of the monitoring corresponds to the classification of the third party based on the risk assessment conducted by the Cloud Service Provider (cf. SSO-02). The results of the monitoring are included in the review of the third party's risk assessment. SSO-04 ¶ 3] | Monitor and Evaluate Occurrences | Detective | |
| Monitor third parties' financial conditions. CC ID 13170 | Monitor and Evaluate Occurrences | Detective | |
| Establish, implement, and maintain outsourcing contracts. CC ID 13124 [If necessary, the Cloud Service Provider will outsource parts of its business processes for the provision of the cloud service to other service providers (use of subservice organisations). The Cloud Service Provider describes this in its description and the auditor takes this into consideration as specified in the audit standards ISAE 3402. The standard distinguishes for an attestation engagement between the "inclusive method" and the "carve-out method": Section 3.4.5 ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain contracts with asset disposition vendors, as necessary. CC ID 14826 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain contracts with Information Technology asset disposition vendors. CC ID 13895 | Establish/Maintain Documentation | Preventive | |
| Specify asset ownership in outsourcing contracts. CC ID 13141 | Establish/Maintain Documentation | Preventive | |
| Include performance standards in outsourcing contracts. CC ID 13140 | Establish/Maintain Documentation | Preventive | |
| Include quality standards in outsourcing contracts. CC ID 17191 | Establish/Maintain Documentation | Preventive | |
| Include the organization approving subcontractors in the outsourcing contract. CC ID 13131 | Establish/Maintain Documentation | Preventive | |
| Include a provision that third parties are responsible for their subcontractors in the outsourcing contract. CC ID 13130 | Establish/Maintain Documentation | Preventive | |
Common Controls andEach Common Control is assigned a meta-data type to help you determine the objective of the Control and associated Authority Document mandates aligned with it. These types include behavioral controls, process controls, records management, technical security, configuration management, etc. They are provided as another tool to dissect the Authority Document’s mandates and assign them effectively within your organization.
Acquisition/Sale of Assets or Services | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Prohibit the sale or transfer of a debt caused by identity theft. CC ID 16983 | Monitoring and measurement | Preventive | |
| Purchase insurance on behalf of interested personnel and affected parties. CC ID 16571 | Audits and risk management | Corrective | |
| Establish, implement, and maintain a fuel supply large enough to support the generators during an emergency. CC ID 06376 | Operational and Systems Continuity | Preventive | |
| Plan for acquiring facilities, technology, or services. CC ID 06892 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Perform a due diligence assessment on bidding suppliers prior to acquiring assets. CC ID 15714 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Acquire enough insurance to cover the liability for damages due to data leakage. CC ID 06408 | Privacy protection for information and data | Preventive | |
| Write contractual agreements in clear and conspicuous language. CC ID 16923 | Third Party and supply chain oversight | Preventive | |
| Include training requirements in third party contracts. CC ID 16367 | Third Party and supply chain oversight | Preventive | |
| Include location requirements in third party contracts. CC ID 16915 [The cloud customer is able to specify the locations (location/country) of the data processing and storage including data backups according to the contractually available options. PSS-12 ¶ 1] | Third Party and supply chain oversight | Preventive | |
Actionable Reports or Measurements | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Submit closure reports at the conclusion of each information technology project. CC ID 16948 | Leadership and high level objectives | Preventive | |
| Review and approve the closure report. CC ID 16947 | Leadership and high level objectives | Preventive | |
| Monitor and evaluate system telemetry data. CC ID 14929 | Monitoring and measurement | Detective | |
| Include the verification method in the Statement of Compliance. CC ID 16820 | Audits and risk management | Preventive | |
| Include a description of the awareness and training program in the Statement of Compliance. CC ID 16817 | Audits and risk management | Preventive | |
| Include contact information for the handling of requests and issues in the Statement of Compliance. CC ID 16816 | Audits and risk management | Preventive | |
| Include the privacy programs the organization is a member of in the Statement of Compliance. CC ID 16818 | Audits and risk management | Preventive | |
| Include the word independent in the title of audit reports. CC ID 07003 [{independent audit report} The report on an attestation engagement includes the following elements: Independence and quality control of the auditor/auditing firm (including information on compliance with qualification requirements (cf. Section 3.4.9) Section 3.4.8 ¶ 2 1 (c)] | Audits and risk management | Preventive | |
| Include information about the organization being audited and the auditor performing the audit in the audit report. CC ID 07004 [{independent audit report} The report on an attestation engagement includes the following elements: Independence and quality control of the auditor/auditing firm (including information on compliance with qualification requirements (cf. Section 3.4.9) Section 3.4.8 ¶ 2 1 (c)] | Audits and risk management | Preventive | |
| Include a statement that access to the report is restricted based on least privilege in the audit report. CC ID 07023 [{independent audit report} The report on an attestation engagement includes the following elements: Intended users and purpose Section 3.4.8 ¶ 2 1 (g)] | Audits and risk management | Preventive | |
| Include the organization's audit assertion of the in scope system in the audit report. CC ID 07005 [{in scope system description} In the written statement, management of the Cloud Service Provider confirms that: the description fairly presents the Cloud Service Provider's service-related system of internal control to meet the C5 criteria as at a specified date (type 1 report) or throughout a specified period (type 2 report) and includes the minimum content as set forth in Section 3.4.4.1 this criteria catalogue; Section 3.4.4.2 ¶ 1 Bullet 1 {responsible personnel} The report on an attestation engagement includes the following elements: Written statement by the Cloud Service Provider's management responsible for the cloud service(s). Section 3.4.8 ¶ 2 2. {independent audit report} The report on an attestation engagement includes the following elements: Cloud Service Provider's responsibility Section 3.4.8 ¶ 2 1 (b)] | Audits and risk management | Preventive | |
| Monitor and report on the status of mitigation actions in the corrective action plan. CC ID 15250 [Irrespective of the assessment as to whether a deviation leads to a qualified opinion, further information should be presented in the audit report. This information is intended to enable report recipients to assess whether the Cloud Service Provider is taking appropriate actions to handle errors and optimise its policies, procedures and actions. The following additional information from the Cloud Service Provider shall be included in the audit report: The measures to be taken to remedy the deviation in the future and when these measures are likely to be completed or effectively implemented. Section 3.4.7 ¶ 2 Bullet 3] | Audits and risk management | Corrective | |
| Include the total user downtime in the disclosure report. CC ID 15635 [The cloud provider provides subject matter experts of cloud customers with comprehensible and transparent information on the availability of the data centres used to provide the cloud service (including data centres operated by subcontractors), as needed. The information shows availability and downtime over one year according to industry standard classification schemes. The information enables cloud customers to assess the cloud service as part of their business impact analysis. BC-04 ¶ 1] | Audits and risk management | Preventive | |
| Document the continuity plan test results and provide them to interested personnel and affected parties. CC ID 06548 [The business impact analysis, business continuity plans and contingency plans are reviewed, updated and tested on a regular basis (at least annually) or after significant organisational or environmental changes. Tests involve affected customers (tenants) and relevant third parties. The tests are documented and results are taken into account for future operational continuity measures. BCM-04 ¶ 1] | Operational and Systems Continuity | Preventive | |
| Refrain from including restricted information in the incident response notification. CC ID 16806 | Operational management | Preventive | |
| Disseminate and communicate the final incident report, which includes the investigation results and any remediation activity results. CC ID 12306 [After a security incident has been processed, the solution is documented in accordance with the contractual agreements and the report is sent to the affected customers for final acknowledgement or, if applicable, as confirmation. SIM-03 ¶ 1] | Operational management | Preventive | |
| Document the results of incident response tests and provide them to senior management. CC ID 14857 | Operational management | Preventive | |
Audits and Risk Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Rotate auditors, as necessary. CC ID 15589 | Audits and risk management | Preventive | |
| Engage auditors who have adequate knowledge of the subject matter. CC ID 07102 [Therefore, the following aspects are to be fulfilled by those members of the audit team who, according to the International Standard on Quality Control (ISQC) 1 "Quality Control for Firms that Perform Audits and Reviews of Financial Statements, and Other Assurance and Related Services Engagements" or the German IDW quality assurance standard "Anforderungen an die Qual- itätssicherung in der Wirtschaftsprüferpraxis" (IDW QS 1) or other national equivalents of ISQC 1, supervision the execution and review the results of the engagement (including evaluation of the work performed, review of the documentation and the planned reporting): 3 years relevant professional experience with IT audits in a public audit firm Section 3.4.9 ¶ 3 Bullet 1 Therefore, the following aspects are to be fulfilled by those members of the audit team who, according to the International Standard on Quality Control (ISQC) 1 "Quality Control for Firms that Perform Audits and Reviews of Financial Statements, and Other Assurance and Related Services Engagements" or the German IDW quality assurance standard "Anforderungen an die Qualitätssicherung in der Wirtschaftsprüferpraxis" (IDW QS 1) or other national equivalents of ISQC 1, supervision the execution and review the results of the engagement (including evaluation of the work performed, review of the documentation and the planned reporting): or one of the following professional examinations/certifications: Information Systems Audit and Control Association (ISACA) – Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM) or Certified in Risk and Information Systems Control (CRISC) Section 3.4.9 ¶ 4 Bullet 1 Therefore, the following aspects are to be fulfilled by those members of the audit team who, according to the International Standard on Quality Control (ISQC) 1 "Quality Control for Firms that Perform Audits and Reviews of Financial Statements, and Other Assurance and Related Services Engagements" or the German IDW quality assurance standard "Anforderungen an die Qualitätssicherung in der Wirtschaftsprüferpraxis" (IDW QS 1) or other national equivalents of ISQC 1, supervision the execution and review the results of the engagement (including evaluation of the work performed, review of the documentation and the planned reporting): or one of the following professional examinations/certifications: ISO/IEC 27001 Lead Auditor or BSI certified ISO 27001 Auditor for audits based on BSI IT-Grundschutz Section 3.4.9 ¶ 4 Bullet 2 Therefore, the following aspects are to be fulfilled by those members of the audit team who, according to the International Standard on Quality Control (ISQC) 1 "Quality Control for Firms that Perform Audits and Reviews of Financial Statements, and Other Assurance and Related Services Engagements" or the German IDW quality assurance standard "Anforderungen an die Qualitätssicherung in der Wirtschaftsprüferpraxis" (IDW QS 1) or other national equivalents of ISQC 1, supervision the execution and review the results of the engagement (including evaluation of the work performed, review of the documentation and the planned reporting): or one of the following professional examinations/certifications: Cloud Security Alliance (CSA) – Certificate of Cloud Security Knowledge (CCSK) Section 3.4.9 ¶ 4 Bullet 3 Therefore, the following aspects are to be fulfilled by those members of the audit team who, according to the International Standard on Quality Control (ISQC) 1 "Quality Control for Firms that Perform Audits and Reviews of Financial Statements, and Other Assurance and Related Services Engagements" or the German IDW quality assurance standard "Anforderungen an die Qualitätssicherung in der Wirtschaftsprüferpraxis" (IDW QS 1) or other national equivalents of ISQC 1, supervision the execution and review the results of the engagement (including evaluation of the work performed, review of the documentation and the planned reporting): or one of the following professional examinations/certifications: (ISC)² – Certified Cloud Security Professional (CCSP) Section 3.4.9 ¶ 4 Bullet 4] | Audits and risk management | Preventive | |
| Define what constitutes a threat to independence. CC ID 16824 | Audits and risk management | Preventive | |
| Determine if requested services create a threat to independence. CC ID 16823 | Audits and risk management | Detective | |
| Include in scope procedures in the audit assertion's in scope system description. CC ID 16551 | Audits and risk management | Preventive | |
| Include roles and responsibilities in the audit assertion's in scope system description. CC ID 16558 | Audits and risk management | Preventive | |
| Include the audit criteria in the audit assertion's in scope system description. CC ID 16548 [{audit criteria} The Cloud Service Provider must explain in the description of the system if individual basic or additional criteria are not applicable due to the nature and design of the cloud service or the principles, procedures and measures of the Cloud Service Provider. Based on the information provided by the Cloud Service Provider, the auditor must assess to what extent the C5 criteria are not applicable, and if applicable whether they are fully applicable or partially fulfilled. The Cloud Service Provider must explain in the description of the system if individual basic or additional criteria are not applicable due to the nature and design of the cloud service or the principles, procedures and measures of the Cloud Service Provider. Based on the information provided by the Cloud Service Provider, the auditor must assess to what extent the C5 criteria are not applicable, and if applicable whether they are fully or partially fulfilled. Section 3.4.2.1 ¶ 2] | Audits and risk management | Preventive | |
| Include third party data in the audit assertion's in scope system description. CC ID 16554 | Audits and risk management | Preventive | |
| Include third party personnel in the audit assertion's in scope system description. CC ID 16552 | Audits and risk management | Preventive | |
| Include compliance requirements in the audit assertion's in scope system description. CC ID 16506 [In the system description, the Cloud Service Provider provides comprehensible and transparent information on existing and valid certifications or attestations by independent third parties relating to the following aspects of the cloud service: compliance of the management systems for information security, business continuity and quality with applicable international standards; BC-06 ¶ 1 Bullet 1 In the system description, the Cloud Service Provider provides comprehensible and transparent information on existing and valid certifications or attestations by independent third parties relating to the following aspects of the cloud service: compliance with the European General Data Protection Regulation (GDPR); BC-06 ¶ 1 Bullet 2 In the system description, the Cloud Service Provider provides comprehensible and transparent information on existing and valid certifications or attestations by independent third parties relating to the following aspects of the cloud service: certifications or attestations according to industry-specific requirements of cloud customers. BC-06 ¶ 1 Bullet 4] | Audits and risk management | Preventive | |
| Include third party assets in the audit assertion's in scope system description. CC ID 16550 | Audits and risk management | Preventive | |
| Include deviations and the corrective actions taken in the audit assertion's in scope system description. CC ID 16549 | Audits and risk management | Preventive | |
| Determine the appropriateness of the audit assertion's in scope system description. CC ID 16449 | Audits and risk management | Detective | |
| Hold an opening meeting with interested personnel and affected parties prior to an audit. CC ID 15256 | Audits and risk management | Preventive | |
| Confirm audit requirements during the opening meeting. CC ID 15255 | Audits and risk management | Detective | |
| Include discussions about how particular situations will be handled in the opening meeting. CC ID 15254 | Audits and risk management | Preventive | |
| Include third party assets in the audit scope. CC ID 16504 [{cannot provide} {complementary user entity control} In case no reports can be provided, the Cloud Service Provider agrees appropriate information and audit rights to assess the suitability and effectiveness of the service-related internal control system, including the complementary controls, by qualified personnel. SSO-01 ¶ 4] | Audits and risk management | Preventive | |
| Determine the appropriateness of the audit subject matter. CC ID 16505 | Audits and risk management | Preventive | |
| Include the date of the audit in the representation letter. CC ID 16517 | Audits and risk management | Preventive | |
| Include a statement that management has disclosed the implementation status in the representation letter. CC ID 17162 | Audits and risk management | Preventive | |
| Include the criteria for determining the desired level of assurance in the audit program. CC ID 12795 [When assessing the coverage of C5 criteria by results obtained during other audits, particular consideration shall be given to the nature of the audit and compared with the 'reasonable assurance' required for an attestation engagement or a direct engagement (cf. Section 3.4.1). For example, results from ISO certification audits are to be assessed differently from those obtained from an ISAE 3000 audit. Section 3.3 ¶ 4] | Audits and risk management | Preventive | |
| Refrain from performing an attestation engagement under defined conditions. CC ID 13952 | Audits and risk management | Detective | |
| Refrain from accepting an attestation engagement when all parties disagree on the procedures. CC ID 13951 | Audits and risk management | Preventive | |
| Audit in scope audit items and compliance documents. CC ID 06730 [Subject matter experts check the compliance of the information security management system at regular intervals, at least annually, with the relevant and applicable legal, regulatory, self-imposed or contractual requirements (cf. COM-01) as well as compliance with the policies and instructions (cf. SP-01) within their scope of responsibility (cf. OIS-01) through internal audits. COM-03 ¶ 1] | Audits and risk management | Preventive | |
| Identify hypothetical assumptions in forecasts and projections during an audit. CC ID 13946 | Audits and risk management | Detective | |
| Refrain from examining forecasts and projections which refrain from disclosing assumptions during an audit. CC ID 13932 | Audits and risk management | Detective | |
| Audit policies, standards, and procedures. CC ID 12927 [Subject matter experts check the compliance of the information security management system at regular intervals, at least annually, with the relevant and applicable legal, regulatory, self-imposed or contractual requirements (cf. COM-01) as well as compliance with the policies and instructions (cf. SP-01) within their scope of responsibility (cf. OIS-01) through internal audits. COM-03 ¶ 1] | Audits and risk management | Preventive | |
| Investigate the nature and causes of misstatements in the audit assertion's in scope system description. CC ID 16557 | Audits and risk management | Detective | |
| Review audit reports to determine the effectiveness of in scope controls. CC ID 12156 | Audits and risk management | Detective | |
| Interview stakeholders to determine the effectiveness of in scope controls. CC ID 12154 | Audits and risk management | Detective | |
| Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144 | Audits and risk management | Detective | |
| Evaluate personnel status changes to determine the effectiveness of in scope controls. CC ID 16556 | Audits and risk management | Detective | |
| Determine whether individuals performing a control have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 16555 [{security requirements} The policies and instructions describe at least the following aspects: Roles and responsibilities, including staff qualification requirements and the establishment of substitution rules; SP-01 ¶ 3 Bullet 3] | Audits and risk management | Detective | |
| Refrain from using audit evidence that is not sufficient. CC ID 17163 | Audits and risk management | Preventive | |
| Include audit evidence obtained from previous engagements in the work papers. CC ID 16518 | Audits and risk management | Preventive | |
| Review the subject matter expert's findings. CC ID 16559 | Audits and risk management | Detective | |
| Provide auditors access to all in scope records, in scope assets, personnel and in scope procedures. CC ID 06966 [Irrespective of the assessment as to whether a deviation leads to a qualified opinion, further information should be presented in the audit report. This information is intended to enable report recipients to assess whether the Cloud Service Provider is taking appropriate actions to handle errors and optimise its policies, procedures and actions. The following additional information from the Cloud Service Provider shall be included in the audit report: If the deviation was already stated in a report of a previous audit, an indication should be given of when and by what means the deviation was detected, together with a separate indication that the detection occurred in a previous audit period. This requires that the auditor has access to prior reports from the Cloud Service Provider. In case of doubt, the auditor shall have the inspection of these reports separately assured in his engagement letter. Section 3.4.7 ¶ 2 Bullet 2 {cannot provide} {complementary user entity control} In case no reports can be provided, the Cloud Service Provider agrees appropriate information and audit rights to assess the suitability and effectiveness of the service-related internal control system, including the complementary controls, by qualified personnel. SSO-01 ¶ 4 Policies and instructions for planning and conducting audits are documented, communicated and made available in accordance with SP-01 and address the following aspects: Restriction to read-only access to system components in accordance with the agreed audit plan and as necessary to perform the activities; COM-02 ¶ 1 Bullet 1] | Audits and risk management | Preventive | |
| Include the justification for not following the applicable requirements in the audit report. CC ID 16822 | Audits and risk management | Preventive | |
| Include a statement that the applicable requirements were not followed in the audit report. CC ID 16821 | Audits and risk management | Preventive | |
| Refrain from referencing previous engagements in the audit report. CC ID 16516 | Audits and risk management | Preventive | |
| Identify the participants from the organization being audited in the audit report. CC ID 15258 | Audits and risk management | Detective | |
| Include the cost of corrective action in the audit report. CC ID 17015 | Audits and risk management | Preventive | |
| Include the timing of controls in the description of tests of controls and results in the audit report. CC ID 16553 | Audits and risk management | Preventive | |
| Include the organization's in scope system description in the audit report. CC ID 11626 [In the case of a direct engagement, the auditor shall present the above-mentioned minimum content in all material aspects as part of the audit report so that the intended customers can obtain an appropriate understanding of the information security of the cloud service, including the principles, procedures and measures applied. This includes sufficient information on the general conditions of the cloud service (cf. Section 4). Section 3.4.4.1 ¶ 6 In case of a direct engagement, the components 2 'Written statement' and 3 'Description' are omitted. Nevertheless, the minimum contents of the description mentioned in Section 3.4.4.1 shall be presented in all material respects in the audit report so that the intended customers can obtain an appropriate understanding of the information security of the cloud service, including the principles, procedures and measures applied. This includes sufficient information on the general conditions of the cloud service (cf. Section 4). Such information shall be provided in a separate section, e.g. "Description of the cloud service and the policies, procedures and measures applied by the Cloud Service Provider". Section 3.4.8 ¶ 3 In case of a direct engagement, the components 2 'Written statement' and 3 'Description' are omitted. Nevertheless, the minimum contents of the description mentioned in Section 3.4.4.1 shall be presented in all material respects in the audit report so that the intended customers can obtain an appropriate understanding of the information security of the cloud service, including the principles, procedures and measures applied. This includes sufficient information on the general conditions of the cloud service (cf. Section 4). Such information shall be provided in a separate section, e.g. "Description of the cloud service and the policies, procedures and measures applied by the Cloud Service Provider". Section 3.4.8 ¶ 3] | Audits and risk management | Preventive | |
| Include the scope and work performed in the audit report. CC ID 11621 [{independent audit report} {audit criteria} The report on an attestation engagement includes the following elements: Scope and C5 version Section 3.4.8 ¶ 2 1 (a)] | Audits and risk management | Preventive | |
| Assess the quality of the audit program in regards to its documentation. CC ID 11622 | Audits and risk management | Preventive | |
| Establish, implement, and maintain fundamental rights impact assessments. CC ID 17217 | Audits and risk management | Preventive | |
| Employ risk assessment procedures that take into account risk factors. CC ID 16560 [The risk assessment covers the following areas, insofar as these are applicable to the provision of the Cloud Service and are in the area of responsibility of the Cloud Service Provider: Administration of rights profiles, approval and assignment of access and access authorisations (cf. IDM-01); OIS-04 ¶ 2 Bullet 1 The cloud customer is informed by the Cloud Service Provider whenever internal or external employees of the Cloud Service Provider read or write to the cloud customer's data processed, stored or transmitted in the cloud service or have accessed it without the prior consent of the cloud customer. The Information is provided whenever data of the cloud customer is/was not encrypted, the encryption is/was disabled for access or the contractual agreements do not explicitly exclude such information. The information contains the cause, time, duration, type and scope of the access. The information is sufficiently detailed to enable subject matter experts of the cloud customer to assess the risks of the access. The information is provided in accordance with the contractual agreements, or within 72 hours after the access. IDM-07 ¶ 1] | Audits and risk management | Preventive | |
| Review the risk profiles, as necessary. CC ID 16561 | Audits and risk management | Detective | |
| Include risks to critical personnel and assets in the threat and risk classification scheme. CC ID 00698 [Policies and instructions for risk management procedures are documented, communicated and provided in accordance with SP-01 for the following aspects: Identification of risks associated with the loss of confidentiality, integrity, availability and authenticity of information within the scope of the ISMS and assigning risk owners; OIS-06 ¶ 1 Bullet 1 The risk assessment includes the identification, analysis, evaluation, handling and documentation of risks with regard to the following aspects: SSO-02 ¶ 2] | Audits and risk management | Preventive | |
| Assign a probability of occurrence to all types of threats in the threat and risk classification scheme. CC ID 01173 [Policies and instructions for risk management procedures are documented, communicated and provided in accordance with SP-01 for the following aspects: Analysis of the probability and impact of occurrence and determination of the level of risk; OIS-06 ¶ 1 Bullet 2] | Audits and risk management | Preventive | |
| Conduct external audits of risk assessments, as necessary. CC ID 13308 | Audits and risk management | Detective | |
| Correlate the business impact of identified risks in the risk assessment report. CC ID 00686 [Policies and instructions to determine the impact of any malfunction to the cloud service or enterprise are documented, communicated and made available in accordance with SP-01. The following aspects are considered as minimum: Possible scenarios based on a risk analysis; BCM-02 ¶ 1 Bullet 1] | Audits and risk management | Preventive | |
| Conduct a Business Impact Analysis, as necessary. CC ID 01147 | Audits and risk management | Detective | |
| Analyze and quantify the risks to in scope systems and information. CC ID 00701 [Policies and instructions for risk management procedures are documented, communicated and provided in accordance with SP-01 for the following aspects: Analysis of the probability and impact of occurrence and determination of the level of risk; OIS-06 ¶ 1 Bullet 2 System components in the Cloud Service Provider's area of responsibility that are used to provide the cloud service, authenticate users of the Cloud Service Provider's internal and external employees as well as system components that are involved in the Cloud Service Provider's automated authorisation processes. Access to the production environment requires two-factor or multi-factor authentication. Within the production environment, user authentication takes place through passwords, digitally signed certificates or procedures that achieve at least an equivalent level of security. If digitally signed certificates are used, administration is carried out in accordance with the Guideline for Key Management (cf. CRY-01). The password requirements are derived from a risk assessment and documented, communicated and provided in a password policy according to SP-01. Compliance with the requirements is enforced by the configuration of the system components, as far as technically possible. IDM-09 ¶ 1 The risk assessment includes the identification, analysis, evaluation, handling and documentation of risks with regard to the following aspects: SSO-02 ¶ 2] | Audits and risk management | Preventive | |
| Establish and maintain a Risk Scoping and Measurement Definitions Document. CC ID 00703 [The risk assessment includes the identification, analysis, evaluation, handling and documentation of risks with regard to the following aspects: SSO-02 ¶ 2] | Audits and risk management | Preventive | |
| Assess the potential level of business impact risk associated with each business process. CC ID 06463 [Policies and instructions to determine the impact of any malfunction to the cloud service or enterprise are documented, communicated and made available in accordance with SP-01. The following aspects are considered as minimum: BCM-02 ¶ 1] | Audits and risk management | Detective | |
| Assess the potential business impact risk of in scope systems caused by deliberate threats to their confidentiality, integrity, and availability. CC ID 06466 [The risk assessment includes the identification, analysis, evaluation, handling and documentation of risks with regard to the following aspects: Protection needs regarding the confidentiality, integrity, availability and authenticity of information processed, stored or transmitted by the third party; SSO-02 ¶ 2 Bullet 1] | Audits and risk management | Detective | |
| Assess the potential level of business impact risk caused by accidental threats to the confidentiality, integrity and availability of critical systems. CC ID 06467 [Policies and instructions to determine the impact of any malfunction to the cloud service or enterprise are documented, communicated and made available in accordance with SP-01. The following aspects are considered as minimum: Identification of critical products and services; BCM-02 ¶ 1 Bullet 2 Policies and instructions to determine the impact of any malfunction to the cloud service or enterprise are documented, communicated and made available in accordance with SP-01. The following aspects are considered as minimum: Capture threats to critical products and services; BCM-02 ¶ 1 Bullet 4] | Audits and risk management | Detective | |
| Assess the potential level of business impact risk associated with reputational damage. CC ID 15335 | Audits and risk management | Detective | |
| Prioritize and select controls based on the risk assessment findings. CC ID 00707 [Policies and instructions for risk management procedures are documented, communicated and provided in accordance with SP-01 for the following aspects: Evaluation of the risk analysis based on defined criteria for risk acceptance and prioritisation of handling; OIS-06 ¶ 1 Bullet 3] | Audits and risk management | Preventive | |
| Include the release status of the risk assessment in the risk treatment plan. CC ID 16320 | Audits and risk management | Preventive | |
| Audit the configuration of organizational assets, as necessary. CC ID 13653 [{be immutable} If non-modifiable ("immutable") images are used, compliance with the hardening specifications as defined in the hardening requirements is checked upon creation of the images. Configuration and log files regarding the continuous availability of the images are retained. OPS-23 ¶ 2 Internal audits are supplemented by procedures to automatically monitor applicable requirements of policies and instructions with regard to the following aspects: Configuration of system components to provide the cloud service within the Cloud Service Provider's area of responsibility; COM-03 ¶ 3 Bullet 1] | System hardening through configuration management | Detective | |
| Re-evaluate risk assessments of third parties, as necessary. CC ID 12158 [Service providers and suppliers of the Cloud Service Provider undergo a risk assessment in accordance with the policies and instructions for the control and monitoring of third parties prior to contributing to the delivery of the cloud service. The adequacy of the risk assessment is reviewed regularly, at least annually, by qualified personnel of the Cloud Service Provider during service usage. SSO-02 ¶ 1] | Third Party and supply chain oversight | Detective | |
Behavior | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain a testing program. CC ID 00654 [Policies and instructions with technical and organisational safeguards for change management of system components of the cloud service within the scope of software deployment are documented, communicated and provided according to SP-01 with regard to the following aspects: Requirements for the performance and documentation of tests; DEV-03 ¶ 1 Bullet 2 The business impact analysis, business continuity plans and contingency plans are reviewed, updated and tested on a regular basis (at least annually) or after significant organisational or environmental changes. Tests involve affected customers (tenants) and relevant third parties. The tests are documented and results are taken into account for future operational continuity measures. BCM-04 ¶ 1] | Monitoring and measurement | Preventive | |
| Obtain the data subject's consent to participate in testing in real-world conditions. CC ID 17232 | Monitoring and measurement | Preventive | |
| Notify the interested personnel and affected parties after the failure of an automated security test. CC ID 06748 | Monitoring and measurement | Corrective | |
| Carry out disciplinary actions when a compliance violation is detected. CC ID 06675 [In the event of violations of policies and instructions or applicable legal and regulatory requirements, actions are taken in accordance with a defined policy that includes the following aspects: HR-04 ¶ 1 Activities of users with privileged access rights are logged in order to detect any misuse of privileged access in suspicious cases. The logged information is automatically monitored for defined events that may indicate misuse. When such an event is identified, the responsible personnel are automatically informed so that they can promptly assess whether misuse has occurred and take corresponding action. In the event of proven misuse of privileged access rights, disciplinary measures are taken in accordance with HR-04. IDM-06 ¶ 3] | Monitoring and measurement | Corrective | |
| Refrain from accepting an attestation engagement unless the prospective financial information includes a summary of significant assumptions. CC ID 13954 | Audits and risk management | Preventive | |
| Verify statements made by interviewees are correct. CC ID 16299 | Audits and risk management | Detective | |
| Disseminate and communicate the risk acceptance level in the risk treatment plan to all interested personnel and affected parties. CC ID 06849 [Policies and instructions for risk management procedures are documented, communicated and provided in accordance with SP-01 for the following aspects: Handling of risks through measures, including approval of authorisation and acceptance of residual risks by risk owners; and OIS-06 ¶ 1 Bullet 4] | Audits and risk management | Preventive | |
| Review and update accounts and access rights when notified of personnel status changes. CC ID 00788 [Access rights are promptly revoked if the job responsibilities of the Cloud Service Provider's internal or external staff or the tasks of system components involved in the Cloud Service Provider's automated authorisation processes change. Privileged access rights are adjusted or revoked within 48 hours after the change taking effect. All other access rights are adjusted or revoked within 14 days. After revocation, the procedure for granting user accounts and access rights (cf. IDM-02) must be repeated. IDM-04 ¶ 1 Access rights are promptly revoked if the job responsibilities of the Cloud Service Provider's internal or external staff or the tasks of system components involved in the Cloud Service Provider's automated authorisation processes change. Privileged access rights are adjusted or revoked within 48 hours after the change taking effect. All other access rights are adjusted or revoked within 14 days. After revocation, the procedure for granting user accounts and access rights (cf. IDM-02) must be repeated. IDM-04 ¶ 1 A role and rights concept based on the business and security requirements of the Cloud Service Provider as well as a policy for managing user accounts and access rights for internal and external employees of the Cloud Service Provider and system components that have a role in automated authorisation processes of the Cloud Service Provider are documented, communicated and made available according to SP-01: Time-based or event-driven removal or adjustment of access rights in the event of changes to job responsibility; IDM-01 ¶ 1 Bullet 8] | Technical security | Corrective | |
| Refrain from providing access to facilities that transmit, process, or store restricted data until the contract for accessing the facility is signed. CC ID 12311 | Physical and environmental protection | Preventive | |
| Require the return of all assets upon notification an individual is terminated. CC ID 06679 [Any assets handed over are provably returned upon termination of employment. AM-05 ¶ 2] | Physical and environmental protection | Preventive | |
| Disseminate and communicate critical third party dependencies to interested personnel and affected parties. CC ID 06816 [The communication of changes to the interfaces and dependencies takes place in a timely manner so that the affected organisations and third parties can react appropriately with organisational and technical measures before the changes take effect. OIS-03 ¶ 3 {security requirements} The policies and instructions describe at least the following aspects: Roles and dependencies on other organisations (especially cloud customers and subservice organisations); SP-01 ¶ 3 Bullet 4] | Operational and Systems Continuity | Preventive | |
| Train personnel on the continuity plan. CC ID 00759 [{take into account} Business continuity plans and contingency plans take the following aspects into account: Accessibility and comprehensibility of the plans for persons who are to act accordingly; BCM-03 ¶ 2 Bullet 2] | Operational and Systems Continuity | Preventive | |
| Train all personnel and third parties, as necessary. CC ID 00785 [The Cloud Service Provider operates a target group-oriented security awareness and training program, which is completed by all internal and external employees of the Cloud Service Provider on a regular basis. The program is regularly updated based on changes to policies and instructions and the current threat situation and includes the following aspects: HR-03 ¶ 1] | Human Resources management | Preventive | |
| Train all personnel and third parties on how to recognize and report security incidents. CC ID 01211 [The Cloud Service Provider informs employees and external business partners of their obligations. If necessary, they agree to or are contractually obliged to report all security events that become known to them and are directly related to the cloud service provided by the Cloud Service Provider to a previously designated central office of the Cloud Service Provider promptly. SIM-04 ¶ 1] | Human Resources management | Preventive | |
| Conduct secure coding and development training for developers. CC ID 06822 [The Cloud Service Provider provides a training program for regular, target group-oriented security training and awareness for internal and external employees on standards and methods of secure software development and provision as well as on how to use the tools used for this purpose. The program is regularly reviewed and updated with regard to the applicable policies and instructions, the assigned roles and responsibilities and the tools used. DEV-04 ¶ 1] | Human Resources management | Corrective | |
| Implement a sanctions process for personnel who fail to comply to the organizational compliance program. CC ID 01442 [In the event of violations of policies and instructions or applicable legal and regulatory requirements, actions are taken in accordance with a defined policy that includes the following aspects: Consideration of the nature and severity of the violation and its impact. HR-04 ¶ 1 Bullet 2 In the event of violations of policies and instructions or applicable legal and regulatory requirements, actions are taken in accordance with a defined policy that includes the following aspects: Consideration of the nature and severity of the violation and its impact. HR-04 ¶ 1 Bullet 2] | Human Resources management | Corrective | |
| Confirm the requirements for the transmission of electricity with the affected parties. CC ID 17113 | Operational management | Detective | |
| Perform periodic maintenance according to organizational standards. CC ID 01435 | Operational management | Preventive | |
| Notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00365 [Customers affected by security incidents are informed in a timely and appropriate manner. SIM-01 ¶ 4] | Operational management | Corrective | |
| Avoid false positive incident response notifications. CC ID 04732 [{false positive} In addition, the Cloud Service Provider communicates that "false reports" of events that do not subsequently turn out to be incidents do not have any negative consequences. SIM-04 ¶ 2] | Operational management | Detective | |
| Incorporate realistic exercises that are tested into the incident response training program. CC ID 06753 [In addition to the tests, exercises are also carried out which, among other things, have resulted in scenarios from security incidents that have already occurred in the past. BCM-04 ¶ 2] | Operational management | Preventive | |
| Disseminate and communicate proposed changes to all interested personnel and affected parties. CC ID 06807 [Policies and instructions with technical and organisational safeguards for change management of system components of the cloud service within the scope of software deployment are documented, communicated and provided according to SP-01 with regard to the following aspects: Requirements for the proper information of cloud customers about the type and scope of the change as well as the resulting obligations to cooperate in accordance with the contractual agreements; DEV-03 ¶ 1 Bullet 4 In accordance with the contractual agreements, meaningful information about the occasion, time, duration, type and scope of the change is submitted to authorised bodies of the cloud customer so that they can carry out their own risk assessment before the change is made available in the production environment. Regardless of the contractual agreements, this is done for changes that have the highest risk category based on their risk assessment. DEV-05 ¶ 2 {changes} Cloud customers are involved in the release according to contractual requirements. DEV-09 ¶ 2] | Operational management | Preventive | |
| Notify affected parties to keep authenticators confidential. CC ID 06787 [{maintain} {confidentiality} The users sign a declaration in which they assure that they treat personal (or shared) authentication information confidentially and keep it exclusively for themselves (within the members of the group). IDM-08 ¶ 3] | System hardening through configuration management | Preventive | |
| Notify the supervisory authority. CC ID 00472 | Privacy protection for information and data | Preventive | |
| Use the contact information on file to contact the individual identified in an account change request. CC ID 04857 | Privacy protection for information and data | Detective | |
| Investigate privacy rights violation complaints. CC ID 00480 | Privacy protection for information and data | Detective | |
| Notify respondents after a privacy rights violation complaint investigation begins. CC ID 00491 [{investigation request} The Cloud Service Provider informs the affected Cloud Customer(s) without undue delay, unless the applicable legal basis on which the government agency is based prohibits this or there are clear indications of illegal actions in connection with the use of the Cloud Service. INQ-02 ¶ 1] | Privacy protection for information and data | Detective | |
| Make appropriate inquiries and obtain appropriate information regarding privacy rights violation complaints. CC ID 00493 [Investigation requests from government agencies are subjected to a legal assessment by subject matter experts of the Cloud Service Provider. The assessment determines whether the government agency has an applicable and legally valid legal basis and what further steps need to be taken. INQ-01 ¶ 1 Investigation requests from government agencies are subjected to a legal assessment by subject matter experts of the Cloud Service Provider. The assessment determines whether the government agency has an applicable and legally valid legal basis and what further steps need to be taken. INQ-01 ¶ 1] | Privacy protection for information and data | Detective | |
| Ask the applicant challenge questions and verify they respond correctly. CC ID 04871 | Privacy protection for information and data | Detective | |
Business Processes | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Use secure communication protocols for telecommunications. CC ID 16458 | Leadership and high level objectives | Preventive | |
| Correct errors and deficiencies in a timely manner. CC ID 13501 [Ensure proper and regular operation, including appropriate measures for planning and monitoring capacity, protection against malware, logging and monitoring events, and dealing with vulnerabilities, malfunctions and failures. Section 5.6 Objective The execution of data backups is monitored by technical and organisational measures. Malfunctions are investigated by qualified staff and rectified promptly to ensure compliance with contractual obligations to cloud customers or the Cloud Service Provider's business requirements regarding the scope and frequency of data backup and the duration of storage. OPS-07 ¶ 1 The Cloud Service Provider validates the functionality of the SDN functions before providing new SDN features to cloud users or modifying existing SDN features. Identified defects are assessed and corrected in a risk-oriented manner. PSS-10 ¶ 2] | Leadership and high level objectives | Corrective | |
| Identify roles, tasks, information, systems, and assets that fall under the organization's mandated Authority Documents. CC ID 00688 [Identify the organisation's own assets and ensure an appropriate level of protection throughout their lifecycle. Section 5.4 Objective] | Leadership and high level objectives | Preventive | |
| Assess the impact of changes to organizational policies, standards, and procedures, as necessary. CC ID 14824 [Policies and instructions to determine the impact of any malfunction to the cloud service or enterprise are documented, communicated and made available in accordance with SP-01. The following aspects are considered as minimum: Identification of effects resulting from planned and unplanned malfunctions and changes over time; BCM-02 ¶ 1 Bullet 5] | Leadership and high level objectives | Preventive | |
| Review the compliance exceptions in the exceptions document, as necessary. CC ID 01632 [Exceptions to the policies and instructions for information security as well as respective controls go through the OIS-06 risk management process, including approval of these exceptions and acceptance of the associated risks by the risk owners. The approvals of exceptions are documented, limited in time and are reviewed for appropriateness at least annually by the risk owners. SP-03 ¶ 1 Exceptions to the policies and instructions for information security as well as respective controls go through the OIS-06 risk management process, including approval of these exceptions and acceptance of the associated risks by the risk owners. The approvals of exceptions are documented, limited in time and are reviewed for appropriateness at least annually by the risk owners. SP-03 ¶ 1] | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a public oversight system. CC ID 17284 | Leadership and high level objectives | Preventive | |
| Align the reporting methodology with the decision management strategy. CC ID 15659 | Leadership and high level objectives | Preventive | |
| Employ an approved third party to perform external vulnerability scans on the organization's systems. CC ID 12467 | Monitoring and measurement | Preventive | |
| Withdraw the approvals of auditors, as necessary. CC ID 17260 | Audits and risk management | Preventive | |
| Identify personnel who should attend the closing meeting. CC ID 15261 | Audits and risk management | Preventive | |
| Schedule attestation engagement meetings with interested personnel and affected parties, as necessary. CC ID 15263 | Audits and risk management | Preventive | |
| Refrain from accepting an attestation engagement when the engaging party refuses to sign the engagement letter. CC ID 14912 | Audits and risk management | Preventive | |
| Accept the attestation engagement when all preconditions are met. CC ID 13933 | Audits and risk management | Preventive | |
| Disclaim the audit opinion in the audit report, as necessary. CC ID 13901 | Audits and risk management | Corrective | |
| Approve the threat and risk classification scheme. CC ID 15693 | Audits and risk management | Preventive | |
| Review the Business Impact Analysis, as necessary. CC ID 12774 [The business impact analysis, business continuity plans and contingency plans are reviewed, updated and tested on a regular basis (at least annually) or after significant organisational or environmental changes. Tests involve affected customers (tenants) and relevant third parties. The tests are documented and results are taken into account for future operational continuity measures. BCM-04 ¶ 1] | Audits and risk management | Preventive | |
| Review and approve material risks documented in the residual risk report, as necessary. CC ID 13672 [{annual basis} The analysis, evaluation and treatment of risks, including the approval of actions and acceptance of residual risks, is reviewed for adequacy at least annually by the risk owners. OIS-07 ¶ 2] | Audits and risk management | Preventive | |
| Comply with the encryption laws of the local country. CC ID 16377 | Technical security | Preventive | |
| Return all unstructured data from all shared resources upon agreement termination. CC ID 12336 [{alternate} Enable the ability to access the cloud service via other cloud services or IT systems of the cloud customers, to obtain the stored data at the end of the contractual relationship and to securely delete it from the Cloud Service Provider. Section 5.10 Objective] | Technical security | Preventive | |
| Include an appeal process in the identification issuance procedures. CC ID 15428 | Physical and environmental protection | Preventive | |
| Charge a fee for replacement of identification cards or badges, as necessary. CC ID 17001 | Physical and environmental protection | Preventive | |
| Obtain management approval prior to decommissioning assets. CC ID 17269 [{acceptable use policy} Policies and instructions for acceptable use and safe handling of assets are documented, communicated and provided in accordance with SP-01 and address the following aspects of the asset lifecycle as applicable to the asset: Approval procedures for acquisition, commissioning, maintenance, decommissioning, and disposal by authorised personnel or system components; AM-02 ¶ 1 Bullet 1] | Physical and environmental protection | Preventive | |
| Require users to refrain from leaving mobile devices unattended. CC ID 16446 | Physical and environmental protection | Preventive | |
| Review the beneficiaries of the insurance policy. CC ID 16563 | Operational and Systems Continuity | Detective | |
| Establish, implement, and maintain future system capacity forecasting methods. CC ID 01617 [The planning of capacities and resources (personnel and IT resources) follows an established procedure in order to avoid possible capacity bottlenecks. The procedures include forecasting future capacity requirements in order to identify usage trends and manage system overload. OPS-01 ¶ 1 The forecasts are considered in accordance with the service level agreement for planning and preparing the provisioning. OPS-01 ¶ 3 Cloud Service Providers take appropriate measures to ensure that they continue to meet the requirements agreed with cloud customers for the provision of the cloud service in the event of capacity bottlenecks or outages regarding personnel and IT resources, in particular those relating to the dedicated use of system components, in accordance with the respective agreements. OPS-01 ¶ 2] | Operational management | Preventive | |
| Align critical Information Technology resource availability planning with capacity planning. CC ID 01618 [Ensure proper and regular operation, including appropriate measures for planning and monitoring capacity, protection against malware, logging and monitoring events, and dealing with vulnerabilities, malfunctions and failures. Section 5.6 Objective] | Operational management | Preventive | |
| Manage cloud services. CC ID 13144 [For an attestation engagement, the Cloud Service Provider's service-related system of internal control to meet the C5 criteria shall include the following minimum content in order to provide customers with sufficient transparency about the information security of the cloud service: Policies, procedures and measures, including the controls implemented to provide (develop and operate) the cloud services with respect to the applicable C5 criteria; Section 3.4.4.1 ¶ 1 Bullet 5] | Operational management | Preventive | |
| Define the scope for the internal control framework. CC ID 16325 [For an attestation engagement, the Cloud Service Provider's service-related system of internal control to meet the C5 criteria shall include the following minimum content in order to provide customers with sufficient transparency about the information security of the cloud service: Description of the system components for providing the cloud service; Section 3.4.4.1 ¶ 1 Bullet 2 {audit criteria} For an attestation engagement, the Cloud Service Provider's service-related system of internal control to meet the C5 criteria shall include the following minimum content in order to provide customers with sufficient transparency about the information security of the cloud service: Applicable C5 criteria; Section 3.4.4.1 ¶ 1 Bullet 4 For an attestation engagement, the Cloud Service Provider's service-related system of internal control to meet the C5 criteria shall include the following minimum content in order to provide customers with sufficient transparency about the information security of the cloud service: Complementary customer controls assumed in the design of the Cloud Service Provider's controls; and Section 3.4.4.1 ¶ 1 Bullet 7] | Operational management | Preventive | |
| Establish, implement, and maintain information security procedures. CC ID 12006 | Operational management | Preventive | |
| Refrain from requiring supervision when users are accessing social media applications. CC ID 14011 | Operational management | Preventive | |
| Refrain from requiring users to disclose social media account usernames or authenticators. CC ID 14009 | Operational management | Preventive | |
| Coordinate the transmission of electricity between affected parties. CC ID 17114 | Operational management | Preventive | |
| Comply with requests from relevant parties unless justified in not complying. CC ID 17094 | Operational management | Preventive | |
| Establish, implement, and maintain information sharing agreements. CC ID 15645 | Operational management | Preventive | |
| Validate recipients prior to sending electronic messages. CC ID 16981 | Operational management | Preventive | |
| Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 | Operational management | Preventive | |
| Establish, implement, and maintain a Service Management System. CC ID 13889 | Operational management | Preventive | |
| Establish, implement, and maintain an Asset Management program. CC ID 06630 [{centrally manage} Physical assets of internal and external employees are managed centrally. AM-05 ¶ 3] | Operational management | Preventive | |
| Include coordination amongst entities in the asset management policy. CC ID 16424 | Operational management | Preventive | |
| Define the requirements for where assets can be located. CC ID 17051 | Operational management | Preventive | |
| Define and prioritize the importance of each asset in the asset management program. CC ID 16837 | Operational management | Preventive | |
| Establish, implement, and maintain administrative controls over all assets. CC ID 16400 | Operational management | Preventive | |
| Classify virtual systems by type and purpose. CC ID 16332 | Operational management | Preventive | |
| Establish, implement, and maintain an asset inventory. CC ID 06631 [The Cloud Service Provider has established procedures for inventorying assets. AM-01 ¶ 1 The Cloud Service Provider operates or refers to a daily updated online register of known vulnerabilities that affect the Cloud Service Provider and assets provided by the Cloud Service Provider that the cloud customers have to install, provide or operate themselves under the customers responsibility PSS-03 ¶ 1] | Operational management | Preventive | |
| Obtain management approval prior to disposing of information technology assets. CC ID 17270 [{acceptable use policy} Policies and instructions for acceptable use and safe handling of assets are documented, communicated and provided in accordance with SP-01 and address the following aspects of the asset lifecycle as applicable to the asset: Approval procedures for acquisition, commissioning, maintenance, decommissioning, and disposal by authorised personnel or system components; AM-02 ¶ 1 Bullet 1] | Operational management | Preventive | |
| Destroy systems in accordance with the system disposal program. CC ID 16457 | Operational management | Preventive | |
| Approve the release of systems and waste material into the public domain. CC ID 16461 | Operational management | Preventive | |
| Obtain approval before removing maintenance tools from the facility. CC ID 14298 | Operational management | Preventive | |
| Refrain from placing assets being disposed into organizational dumpsters. CC ID 12200 | Operational management | Preventive | |
| Remove asset tags prior to disposal of an asset. CC ID 12198 | Operational management | Preventive | |
| Establish, implement, and maintain an Incident Management program. CC ID 00853 | Operational management | Preventive | |
| Refrain from charging for providing incident response notifications. CC ID 13876 | Operational management | Preventive | |
| Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766 | Operational management | Corrective | |
| Collect evidence from the incident scene. CC ID 02236 | Operational management | Corrective | |
| Manage change requests. CC ID 00887 [In accordance with the applicable policies (cf. DEV-03), changes are subjected to a risk assessment with regard to potential effects on the system components concerned and are categorised and prioritised accordingly. DEV-05 ¶ 1 Policies and instructions with technical and organisational safeguards for change management of system components of the cloud service within the scope of software deployment are documented, communicated and provided according to SP-01 with regard to the following aspects: Criteria for risk assessment, categorisation and prioritisation of changes and related requirements for the type and scope of testing to be performed, and necessary approvals for the development/implementation of the change and releases for deployment in the production environment by authorised personnel or system components; DEV-03 ¶ 1 Bullet 1] | Operational management | Preventive | |
| Examine all changes to ensure they correspond with the change request. CC ID 12345 [{change} The type and scope of the tests correspond to the risk assessment. The tests are carried out by appropriately qualified personnel of the Cloud Service Provider or by automated test procedures that comply with the state-of-the-art. Cloud customers are involved into the tests in accordance with the contractual requirements. DEV-06 ¶ 2] | Operational management | Detective | |
| Implement changes according to the change control program. CC ID 11776 [Policies and instructions with technical and organisational safeguards for change management of system components of the cloud service within the scope of software deployment are documented, communicated and provided according to SP-01 with regard to the following aspects: Criteria for risk assessment, categorisation and prioritisation of changes and related requirements for the type and scope of testing to be performed, and necessary approvals for the development/implementation of the change and releases for deployment in the production environment by authorised personnel or system components; DEV-03 ¶ 1 Bullet 1] | Operational management | Preventive | |
| Prioritize deploying patches according to vulnerability risk metrics. CC ID 06796 [Guidelines and instructions with technical and organisational measures are documented, communicated and provided in accordance with SP-01 to ensure the timely identification and addressing of vulnerabilities in the system components used to provide the cloud service. These guidelines and instructions contain specifications regarding the following aspects: Prioritisation and implementation of actions to promptly remediate or mitigate identified vulnerabilities based on severity and according to defined timelines; and OPS-18 ¶ 1 Bullet 3 Available security patches are applied depending on the severity of the vulnerabilities, as determined based on the latest version of the Common Vulnerability Scoring System (CVSS): OPS-22 ¶ 2 {critical vulnerability} Available security patches are applied depending on the severity of the vulnerabilities, as determined based on the latest version of the Common Vulnerability Scoring System (CVSS): Critical (CVSS = 9.0 – 10.0), 3 hours; OPS-22 ¶ 2 Bullet 1 {high severity vulnerability} Available security patches are applied depending on the severity of the vulnerabilities, as determined based on the latest version of the Common Vulnerability Scoring System (CVSS): High (CVSS = 7.0 – 8.9), 3 days; OPS-22 ¶ 2 Bullet 2 {average severity vulnerability} Available security patches are applied depending on the severity of the vulnerabilities, as determined based on the latest version of the Common Vulnerability Scoring System (CVSS): Average (CVSS = 4.0 – 6.9), 1 month; and OPS-22 ¶ 2 Bullet 3 {low severity vulnerability} Available security patches are applied depending on the severity of the vulnerabilities, as determined based on the latest version of the Common Vulnerability Scoring System (CVSS): Low (CVSS = 0.1 – 3.9), 3 months. OPS-22 ¶ 2 Bullet 4] | Operational management | Preventive | |
| Change the authenticator for shared accounts when the group membership changes. CC ID 14249 | System hardening through configuration management | Corrective | |
| Establish and maintain end user support communications. CC ID 06615 | Systems design, build, and implementation | Preventive | |
| Refrain from requiring the data subject to create an account in order to submit a consumer request. CC ID 13780 | Privacy protection for information and data | Preventive | |
| Provide the data subject with the data protection officer's contact information. CC ID 12573 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain Consumer Reporting Agency notification procedures. CC ID 04851 | Privacy protection for information and data | Preventive | |
| Include personal data that is publicly available information as an out of scope privacy breach. CC ID 04678 | Privacy protection for information and data | Preventive | |
| Authenticate a user's identity prior to transferring funds requested by a customer. CC ID 12972 | Privacy protection for information and data | Detective | |
| Validate a consumer's identity in accordance with applicable requirements. CC ID 16899 | Privacy protection for information and data | Preventive | |
| Terminate supplier relationships, as necessary. CC ID 13489 | Third Party and supply chain oversight | Corrective | |
| Require individual attestations of compliance from each location a third party operates in. CC ID 12228 | Third Party and supply chain oversight | Preventive | |
| Validate the third parties' compliance to organizationally mandated compliance requirements. CC ID 08819 [Monitoring includes a regular review of the following evidence to the extent that such evidence is to be provided by third parties in accordance with the contractual agreements: certificates of the management systems' compliance with international standards; SSO-04 ¶ 2 Bullet 2] | Third Party and supply chain oversight | Preventive | |
| Assess the effectiveness of third party services provided to the organization. CC ID 13142 | Third Party and supply chain oversight | Detective | |
Communicate | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain an alternative communication protocol. CC ID 17097 | Leadership and high level objectives | Preventive | |
| Identify alternative measures for collecting stakeholder input, as necessary. CC ID 15672 | Leadership and high level objectives | Preventive | |
| Disseminate and communicate compliance exceptions to interested personnel and affected parties. CC ID 16945 | Leadership and high level objectives | Preventive | |
| Disseminate and communicate the oversight plan to interested personnel and affected parties. CC ID 17308 | Leadership and high level objectives | Preventive | |
| Disseminate and communicate the strategic plan to all interested personnel and affected parties. CC ID 15592 | Leadership and high level objectives | Preventive | |
| Disseminate and communicate the planning procedures to interested personnel and affected parties. CC ID 14704 | Leadership and high level objectives | Preventive | |
| Disseminate and communicate the planning policy to interested personnel and affected parties. CC ID 14691 | Leadership and high level objectives | Preventive | |
| Disseminate and communicate the security planning policy to interested personnel and affected parties. CC ID 14125 | Leadership and high level objectives | Preventive | |
| Disseminate and communicate the security planning procedures to interested personnel and affected parties. CC ID 14135 | Leadership and high level objectives | Preventive | |
| Disseminate and communicate the decision management strategy to all interested personnel and affected parties. CC ID 13991 | Leadership and high level objectives | Preventive | |
| Report errors and faults to the appropriate personnel, as necessary. CC ID 14296 [Interfaces and dependencies between cloud service delivery activities performed by the Cloud Service Provider and activities performed by third parties are documented and communicated. This includes dealing with the following events: Malfunctions. OIS-03 ¶ 1 Bullet 3 Deviations from the specifications are reported to the responsible personnel or system components so that these can promptly assess the deviations and initiate the necessary actions. OPS-08 ¶ 2 System components in the Cloud Service Provider's area of responsibility are automatically monitored for compliance with hardening specifications. Deviations from the specifications are automatically reported to the appropriate departments of the Cloud Service Provider for immediate assessment and action. OPS-23 ¶ 3 {automate} Identified violations and discrepancies are automatically reported to the responsible personnel or system components of the Cloud Service Provider for prompt assessment and action. SSO-04 ¶ 6 At startup and runtime of virtual machine or container images, an integrity check is performed that detects image manipulations and reports them to the cloud customer. PSS-11 ¶ 2] | Monitoring and measurement | Corrective | |
| Disseminate and communicate the audit and accountability policy to interested personnel and affected parties. CC ID 14095 | Monitoring and measurement | Preventive | |
| Disseminate and communicate the audit and accountability procedures to interested personnel and affected parties. CC ID 14137 | Monitoring and measurement | Preventive | |
| Disseminate and communicate monitoring capabilities with interested personnel and affected parties. CC ID 13156 [The Cloud Service Provider has established policies and instructions that govern the logging and monitoring of events on system components within its area of responsibility. These policies and instructions are documented, communicated and provided according to SP-01 with respect to the following aspects: OPS-10 ¶ 1 The Cloud Service Provider has established policies and instructions that govern the logging and monitoring of events on system components within its area of responsibility. These policies and instructions are documented, communicated and provided according to SP-01 with respect to the following aspects: OPS-10 ¶ 1 The Cloud Service Provider has established policies and instructions that govern the logging and monitoring of events on system components within its area of responsibility. These policies and instructions are documented, communicated and provided according to SP-01 with respect to the following aspects: Information regarding the purpose and retention period of the logs; OPS-10 ¶ 1 Bullet 3 Cloud customers can view compliance with selected contractual requirements in real time. COM-03 ¶ 5] | Monitoring and measurement | Preventive | |
| Report inappropriate usage of user accounts to the appropriate personnel. CC ID 14243 | Monitoring and measurement | Detective | |
| Disseminate and communicate the security assessment and authorization policy to interested personnel and affected parties. CC ID 14218 | Monitoring and measurement | Preventive | |
| Disseminate and communicate security assessment and authorization procedures to interested personnel and affected parties. CC ID 14224 | Monitoring and measurement | Preventive | |
| Notify interested personnel and affected parties prior to performing testing. CC ID 17034 | Monitoring and measurement | Preventive | |
| Share conformity assessment results with affected parties and interested personnel. CC ID 15113 | Monitoring and measurement | Preventive | |
| Notify affected parties and interested personnel of technical documentation assessment certificates that have been issued. CC ID 15112 | Monitoring and measurement | Preventive | |
| Notify affected parties and interested personnel of technical documentation assessment certificates that have been refused, withdrawn, suspended or restricted. CC ID 15111 | Monitoring and measurement | Preventive | |
| Disseminate and communicate the vulnerability scan results to interested personnel and affected parties. CC ID 16418 [{technical measure} Guidelines and instructions with technical and organisational measures are documented, communicated and provided in accordance with SP-01 to ensure the timely identification and addressing of vulnerabilities in the system components used to provide the cloud service. These guidelines and instructions contain specifications regarding the following aspects: OPS-18 ¶ 1 Identified vulnerabilities and deviations are automatically reported to the appropriate Cloud Service Provider's subject matter experts for immediate assessment and action. COM-03 ¶ 4] | Monitoring and measurement | Preventive | |
| Disseminate and communicate the test results to interested personnel and affected parties. CC ID 17103 [At the customer's request, the Cloud Service Provider inform the cloud customer of the results of the recovery tests. Recovery tests are embedded in the Cloud Service Provider's emergency management. OPS-08 ¶ 3] | Monitoring and measurement | Preventive | |
| Disseminate and communicate the disciplinary action notice to interested personnel and affected parties. CC ID 16585 [The internal and external employees of the Cloud Service Provider are informed about possible disciplinary measures. HR-04 ¶ 2] | Monitoring and measurement | Preventive | |
| Publish a Statement of Compliance for the organization's external requirements. CC ID 12350 [{legal framework} The Cloud Service Provider has established policies and instructions that govern the logging and monitoring of events on system components within its area of responsibility. These policies and instructions are documented, communicated and provided according to SP-01 with respect to the following aspects: Compliance with legal and regulatory frameworks. OPS-10 ¶ 1 Bullet 6] | Audits and risk management | Preventive | |
| Notify interested personnel and affected parties of the reasons for the withdrawal of auditors. CC ID 17283 | Audits and risk management | Preventive | |
| Disseminate and communicate the auditor's qualification requirements to interested personnel and affected parties. CC ID 17265 [At the client's request, the auditor shall provide appropriate evidence that the audit team meets the qualification requirements. Section 3.4.9 ¶ 5] | Audits and risk management | Preventive | |
| Include the scope for the desired level of assurance in the audit program. CC ID 12793 [The ISAE 3000 (Revised) audit standard distinguishes between audit engagements with "reasonable assurance" and audit engagements with "limited assurance". According to the BSI, auditors should perform reasonable assurance audits to provide conformity with this criteria catalogue. Section 3.4.1 ¶ 2] | Audits and risk management | Preventive | |
| Hold a closing meeting following an audit to present audit findings and conclusions. CC ID 15248 | Audits and risk management | Preventive | |
| Report that audit evidence collected was not sufficient to the proper authorities. CC ID 16847 | Audits and risk management | Preventive | |
| Disseminate and communicate the reasons the audit report was delayed to interested personnel and affected parties. CC ID 15257 | Audits and risk management | Preventive | |
| Notify auditees if disclosure of audit documentation is required by law. CC ID 15249 | Audits and risk management | Preventive | |
| Disseminate and communicate the audit plan to interested personnel and affected parties. CC ID 15238 [Policies and instructions for planning and conducting audits are documented, communicated and made available in accordance with SP-01 and address the following aspects: COM-02 ¶ 1] | Audits and risk management | Preventive | |
| Disseminate and communicate insurance options to interested personnel and affected parties. CC ID 16572 | Audits and risk management | Preventive | |
| Disseminate and communicate insurance requirements to interested personnel and affected parties. CC ID 16567 | Audits and risk management | Preventive | |
| Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313 | Audits and risk management | Preventive | |
| Disseminate and communicate the risk assessment policy to interested personnel and affected parties. CC ID 14115 | Audits and risk management | Preventive | |
| Disseminate and communicate the risk assessment procedures to interested personnel and affected parties. CC ID 14136 | Audits and risk management | Preventive | |
| Notify the organization upon completion of the external audits of the organization's risk assessment. CC ID 13313 | Audits and risk management | Preventive | |
| Disseminate and communicate the Business Impact Analysis to interested personnel and affected parties. CC ID 15300 | Audits and risk management | Preventive | |
| Disseminate and communicate the risk treatment plan to interested personnel and affected parties. CC ID 15694 [Policies and instructions for risk management procedures are documented, communicated and provided in accordance with SP-01 for the following aspects: Handling of risks through measures, including approval of authorisation and acceptance of residual risks by risk owners; and OIS-06 ¶ 1 Bullet 4] | Audits and risk management | Preventive | |
| Disseminate and communicate the risk management policy to interested personnel and affected parties. CC ID 13792 [Policies and instructions for risk management procedures are documented, communicated and provided in accordance with SP-01 for the following aspects: OIS-06 ¶ 1 Policies and instructions for risk management procedures are documented, communicated and provided in accordance with SP-01 for the following aspects: Documentation of the activities implemented to enable consistent, valid and comparable results. OIS-06 ¶ 1 Bullet 5] | Audits and risk management | Preventive | |
| Notify appropriate parties when the maximum number of unsuccessful logon attempts is exceeded. CC ID 17164 | Technical security | Preventive | |
| Notify the user when an authentication is attempted using an expired authenticator. CC ID 13818 | Technical security | Corrective | |
| Notify interested personnel when user accounts are added or deleted. CC ID 14327 | Technical security | Detective | |
| Disseminate and communicate the access control log to interested personnel and affected parties. CC ID 16442 | Technical security | Preventive | |
| Disseminate and communicate the access control procedures to all interested personnel and affected parties. CC ID 14123 [The requirements for the access control system are documented, communicated and provided in a policy or concept in accordance with SP-01 and include the following aspects: PS-04 ¶ 3] | Technical security | Corrective | |
| Disseminate and communicate the identification and authentication policy to interested personnel and affected parties. CC ID 14197 | Technical security | Preventive | |
| Disseminate and communicate the identification and authentication procedures to interested personnel and affected parties. CC ID 14223 | Technical security | Preventive | |
| Require individuals to report lost or damaged authentication mechanisms. CC ID 17035 | Technical security | Preventive | |
| Notify a user when an authenticator for a user account is changed. CC ID 13820 [The allocation of authentication information to access system components used to provide the cloud service to internal and external users of the cloud provider and system components that are involved in automated authorisation processes of the cloud provider is done in an orderly manner that ensures the confidentiality of the information. If passwords are used as authentication information, their confidentiality is ensured by the following procedures, as far as technically possible: The user is informed about changing or resetting the password. IDM-08 ¶ 1 Bullet 3] | Technical security | Preventive | |
| Disseminate and communicate the network security policy to interested personnel and affected parties. CC ID 14199 | Technical security | Preventive | |
| Disseminate and communicate the system and communications protection procedures to interested personnel and affected parties. CC ID 14206 [Specific security requirements are designed, published and provided for establishing connections within the Cloud Service Provider's network. The security requirements define for the Cloud Service Provider's area of responsibility: COS-02 ¶ 1] | Technical security | Preventive | |
| Disseminate and communicate network diagrams to interested personnel and affected parties. CC ID 13137 | Technical security | Preventive | |
| Disseminate and communicate the data flow diagrams to interested personnel and affected parties. CC ID 16407 | Technical security | Preventive | |
| Disseminate and communicate the protocols, ports, applications, and services list to interested personnel and affected parties. CC ID 17089 | Technical security | Preventive | |
| Disseminate and communicate the encryption management and cryptographic controls policy to all interested personnel and affected parties. CC ID 15476 | Technical security | Preventive | |
| Disseminate and communicate the encryption management procedures to all interested personnel and affected parties. CC ID 15477 [{technical safeguard} Policies and instructions with technical and organisational safeguards for encryption procedures and key management are documented, communicated and provided according to SP-01, in which the following aspects are described: CRY-01 ¶ 1] | Technical security | Preventive | |
| Disseminate and communicate cryptographic key management procedures to interested personnel and affected parties. CC ID 13164 [{technical safeguard} Policies and instructions with technical and organisational safeguards for encryption procedures and key management are documented, communicated and provided according to SP-01, in which the following aspects are described: CRY-01 ¶ 1] | Technical security | Preventive | |
| Notify interested personnel and affected parties upon cryptographic key supersession. CC ID 17084 | Technical security | Preventive | |
| Disseminate and communicate the malicious code protection policy to all interested personnel and affected parties. CC ID 15485 | Technical security | Preventive | |
| Disseminate and communicate the malicious code protection procedures to all interested personnel and affected parties. CC ID 15484 [Policies and instructions with specifications for protection against malware are documented, communicated, and provided in accordance with SP-01 with respect to the following aspects: Operating protection programs on system components under the responsibility of the Cloud Service Provider that are used to provide the cloud service in the production environment; and OPS-04 ¶ 1 Bullet 2 Policies and instructions with specifications for protection against malware are documented, communicated, and provided in accordance with SP-01 with respect to the following aspects: Use of system-specific protection mechanisms; OPS-04 ¶ 1 Bullet 1 Policies and instructions with specifications for protection against malware are documented, communicated, and provided in accordance with SP-01 with respect to the following aspects: Operation of protection programs for employees' terminal equipment. OPS-04 ¶ 1 Bullet 3] | Technical security | Preventive | |
| Notify interested personnel and affected parties when malware is detected. CC ID 13689 | Technical security | Corrective | |
| Disseminate and communicate the physical and environmental protection procedures to interested personnel and affected parties. CC ID 14175 [Security requirements for premises and buildings related to the cloud service provided, are based on the security objectives of the information security policy, identified protection requirements for the cloud service and the assessment of risks to physical and environmental security. The security requirements are documented, communicated and provided in a policy or concept according to SP-01. PS-01 ¶ 1] | Physical and environmental protection | Preventive | |
| Post floor plans of critical facilities in secure locations. CC ID 16138 | Physical and environmental protection | Preventive | |
| Disseminate and communicate the camera installation policy to interested personnel and affected parties. CC ID 15461 | Physical and environmental protection | Preventive | |
| Disseminate and communicate the media protection policy to interested personnel and affected parties. CC ID 14165 | Physical and environmental protection | Preventive | |
| Disseminate and communicate the media protection procedures to interested personnel and affected parties. CC ID 14186 | Physical and environmental protection | Preventive | |
| Disseminate and communicate the end user computing device security guidelines to interested personnel and affected parties. CC ID 16925 | Physical and environmental protection | Preventive | |
| Disseminate and communicate the mobile device management policy to interested personnel and affected parties. CC ID 16998 | Physical and environmental protection | Preventive | |
| Alert appropriate personnel when an environmental control alert threshold is exceeded. CC ID 17268 [The environmental parameters are monitored. When the permitted control range is exceeded, alarm messages are generated and forwarded to the Cloud Service Provider's subject matter experts. PS-05 ¶ 2 The operating parameters of the technical utilities (cf. PS-06) and the environmental parameters of the premises and buildings related to the cloud service provided are monitored and controlled in accordance with the security requirements of the Cloud Service Provider (cf. PS-01 Security Concept). When the permitted control range is exceeded, the responsible departments of the Cloud-Provider are automatically informed in order to promptly initiate the necessary measures for return to the control range. PS-07 ¶ 1] | Physical and environmental protection | Preventive | |
| Notify interested personnel and affected parties when water is detected in the vicinity of information systems. CC ID 14252 | Physical and environmental protection | Preventive | |
| Disseminate and communicate the business continuity policy to interested personnel and affected parties. CC ID 14198 | Operational and Systems Continuity | Preventive | |
| Disseminate and communicate information regarding disaster relief resources to interested personnel and affected parties. CC ID 16573 | Operational and Systems Continuity | Preventive | |
| Notify interested personnel and affected parties upon activation of the continuity plan. CC ID 16777 | Operational and Systems Continuity | Preventive | |
| Disseminate and communicate the continuity procedures to interested personnel and affected parties. CC ID 14055 | Operational and Systems Continuity | Preventive | |
| Disseminate and communicate the recovery plan to interested personnel and affected parties. CC ID 14859 [{data recovery} Policies and instructions for data backup and recovery are documented, communicated and provided in accordance with SP-01 regarding the following aspects. OPS-06 ¶ 1] | Operational and Systems Continuity | Preventive | |
| Disseminate and communicate continuity requirements to interested personnel and affected parties. CC ID 17045 | Operational and Systems Continuity | Preventive | |
| Disseminate and communicate the backup procedures to interested personnel and affected parties. CC ID 17271 [{data recovery} Policies and instructions for data backup and recovery are documented, communicated and provided in accordance with SP-01 regarding the following aspects. OPS-06 ¶ 1] | Operational and Systems Continuity | Preventive | |
| Disseminate and communicate the business continuity program to interested personnel and affected parties. CC ID 17080 | Operational and Systems Continuity | Preventive | |
| Notify interested personnel and affected parties of the time requirements for updating continuity plans. CC ID 17134 | Operational and Systems Continuity | Preventive | |
| Disseminate and communicate screening results to interested personnel and affected parties. CC ID 16445 | Human Resources management | Preventive | |
| Disseminate and communicate personnel screening procedures to interested personnel and affected parties. CC ID 16977 | Human Resources management | Preventive | |
| Disseminate and communicate the security awareness and training procedures to interested personnel and affected parties. CC ID 14138 | Human Resources management | Preventive | |
| Submit a conflict of interest declaration to interested personnel and affected parties. CC ID 16194 | Human Resources management | Preventive | |
| Notify interested personnel and affected parties of the geographic locations of the cloud service organization and its assets. CC ID 13037 [In the system description and the contractual agreements (e.g. service description), the Cloud Service Provider clearly provides comprehensible and transparent information on: System component locations, including its subcontractors, where the cloud customer's data is processed, stored and backed up. BC-01 ¶ 1 Bullet 2] | Operational management | Preventive | |
| Disseminate and communicate documentation of pertinent monitoring capabilities to interested personnel and affected parties. CC ID 13159 [To monitor capacity and availability, the relevant information is available to the cloud customer in a self-service portal. OPS-02 ¶ 2 The cloud customer is informed by the Cloud Service Provider whenever internal or external employees of the Cloud Service Provider read or write to the cloud customer's data processed, stored or transmitted in the cloud service or have accessed it without the prior consent of the cloud customer. The Information is provided whenever data of the cloud customer is/was not encrypted, the encryption is/was disabled for access or the contractual agreements do not explicitly exclude such information. The information contains the cause, time, duration, type and scope of the access. The information is sufficiently detailed to enable subject matter experts of the cloud customer to assess the risks of the access. The information is provided in accordance with the contractual agreements, or within 72 hours after the access. IDM-07 ¶ 1 The cloud customer is informed by the Cloud Service Provider whenever internal or external employees of the Cloud Service Provider read or write to the cloud customer's data processed, stored or transmitted in the cloud service or have accessed it without the prior consent of the cloud customer. The Information is provided whenever data of the cloud customer is/was not encrypted, the encryption is/was disabled for access or the contractual agreements do not explicitly exclude such information. The information contains the cause, time, duration, type and scope of the access. The information is sufficiently detailed to enable subject matter experts of the cloud customer to assess the risks of the access. The information is provided in accordance with the contractual agreements, or within 72 hours after the access. IDM-07 ¶ 1 Policies and instructions for controlling and monitoring third parties (e.g. service providers or suppliers) whose services contribute to the provision of the cloud service are documented, communicated and provided in accordance with SP-01 with respect to the following aspects: Specifications for the monitoring of these requirements; and SSO-01 ¶ 1 Bullet 8 {be specific} {logical separation} The Cloud Service Provider provides a customer-specific logging (in terms of scope and duration of retention period) upon request of the Cloud Customer. Depending on the protection requirements of the Cloud Service Provider and the technical feasibility, a logical or physical separation of log and customer data is carried out. OPS-14 ¶ 3] | Operational management | Preventive | |
| Disseminate and communicate the legal jurisdiction of cloud services to interested personnel and affected parties. CC ID 13147 | Operational management | Preventive | |
| Notify interested personnel and affected parties when irregularities are mitigated. CC ID 17117 | Operational management | Preventive | |
| Notify interested personnel and affected parties when continuous monitoring detects an irregularity. CC ID 17116 | Operational management | Preventive | |
| Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303 | Operational management | Preventive | |
| Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739 [The top management of the Cloud Service Provider has adopted an information security policy and communicated it to internal and external employees as well as cloud customers. OIS-02 ¶ 1 Policies and instructions (incl. concepts and guidelines) are derived from the information security policy and are documented according to a uniform structure. They are communicated and made available to all internal and external employees of the Cloud Service Provider in an appropriate manner. SP-01 ¶ 1] | Operational management | Preventive | |
| Require social media users to clarify that their communications do not represent the organization. CC ID 17046 | Operational management | Preventive | |
| Require social media users to identify themselves when communicating on behalf of the organization. CC ID 17044 | Operational management | Preventive | |
| Implement alternative actions for oral communications not received or understood. CC ID 17122 | Operational management | Preventive | |
| Reissue operating instructions, as necessary. CC ID 17121 | Operational management | Preventive | |
| Confirm operating instructions were received by the interested personnel and affected parties. CC ID 17110 | Operational management | Detective | |
| Confirm the receiver's response to operating instructions received by oral communications. CC ID 17120 | Operational management | Preventive | |
| Repeat operating instructions received by oral communications to the issuer. CC ID 17119 | Operational management | Preventive | |
| Disseminate and communicate the operational control procedures to interested personnel and affected parties. CC ID 17151 [Based on the results of a risk analysis carried out according to OIS-06, the Cloud Service Provider has implemented technical safeguards which are suitable to promptly detect and respond to network-based attacks on the basis of irregular incoming or outgoing traffic patterns and/ or Distributed Denial of Service (DDoS) attacks. Data from corresponding technical protection measures implemented is fed into a comprehensive SIEM (Security Information and Event Management) system, so that (counter) measures regarding correlating events can be initiated. The safeguards are documented, communicated and provided in accordance with SP-01. COS-01 ¶ 1] | Operational management | Preventive | |
| Notify interested personnel and affected parties of inability to comply with compliance requirements. CC ID 17093 | Operational management | Preventive | |
| Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties. CC ID 12431 [Policies and instructions for acceptable use and safe handling of assets are documented, communicated and provided in accordance with SP-01 and address the following aspects of the asset lifecycle as applicable to the asset: AM-02 ¶ 1] | Operational management | Preventive | |
| Disseminate and communicate the fax machine and multifunction device usage policy to interested personnel and affected parties. CC ID 16965 | Operational management | Preventive | |
| Disseminate and communicate the e-mail policy to interested personnel and affected parties. CC ID 16980 | Operational management | Preventive | |
| Disseminate and communicate nondisclosure agreements to interested personnel and affected parties. CC ID 16191 [{confidentiality agreement} The Cloud Service Provider must inform the internal employees, external service providers and suppliers and obtain confirmation of the updated confidentiality or non-disclosure agreement. HR-06 ¶ 4 {confidentiality agreement} The Cloud Service Provider must inform the internal employees, external service providers and suppliers and obtain confirmation of the updated confidentiality or non-disclosure agreement. HR-06 ¶ 4] | Operational management | Preventive | |
| Disseminate and communicate the network standard to all interested personnel and affected parties. CC ID 13129 | Operational management | Preventive | |
| Disseminate and communicate the Asset Classification Policy to interested personnel and affected parties. CC ID 14851 | Operational management | Preventive | |
| Disseminate and communicate the system maintenance policy to interested personnel and affected parties. CC ID 14213 | Operational management | Preventive | |
| Disseminate and communicate the system maintenance procedures to interested personnel and affected parties. CC ID 14194 | Operational management | Preventive | |
| Provide advice regarding the establishment and implementation of an information technology refresh plan. CC ID 16938 | Operational management | Preventive | |
| Disseminate and communicate end-of-life information for system components to interested personnel and affected parties. CC ID 16937 | Operational management | Preventive | |
| Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539 | Operational management | Preventive | |
| Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538 | Operational management | Preventive | |
| Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797 | Operational management | Preventive | |
| Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782 | Operational management | Preventive | |
| Submit written requests to delay the notification of affected parties. CC ID 16783 | Operational management | Preventive | |
| Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767 | Operational management | Corrective | |
| Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085 | Operational management | Preventive | |
| Notify interested personnel and affected parties of the privacy breach about any recovered restricted data. CC ID 13347 | Operational management | Corrective | |
| Notify interested personnel and affected parties that a security breach was detected. CC ID 11788 [Information on security incidents or confirmed security breaches is made available to all affected customers. SIM-03 ¶ 3] | Operational management | Corrective | |
| Disseminate and communicate the incident response policy to interested personnel and affected parties. CC ID 14099 [Policies and instructions with technical and organisational safeguards are documented, communicated and provided in accordance with SP-01 to ensure a fast, effective and proper response to all known security incidents. SIM-01 ¶ 1] | Operational management | Preventive | |
| Include risk information when communicating critical security updates. CC ID 14948 | System hardening through configuration management | Preventive | |
| Disseminate and communicate disposal records to interested personnel and affected parties. CC ID 16891 | Records management | Preventive | |
| Disseminate and communicate the system design specification to all interested personnel and affected parties. CC ID 15468 | Systems design, build, and implementation | Preventive | |
| Disseminate and communicate the system testing procedures to interested personnel and affected parties. CC ID 15471 | Systems design, build, and implementation | Preventive | |
| Disseminate and communicate critical security updates to users. CC ID 14942 [{time frame} For each vulnerability, it is indicated whether software updates (e.g. patch, update) are available, when they will be rolled out and whether they will be deployed by the Cloud Service Provider, the cloud customer or both of them together. PSS-03 ¶ 4 {time frame} For each vulnerability, it is indicated whether software updates (e.g. patch, update) are available, when they will be rolled out and whether they will be deployed by the Cloud Service Provider, the cloud customer or both of them together. PSS-03 ¶ 4] | Systems design, build, and implementation | Corrective | |
| Require third parties to disclose all known vulnerabilities in third party products and services. CC ID 15491 [Interfaces and dependencies between cloud service delivery activities performed by the Cloud Service Provider and activities performed by third parties are documented and communicated. This includes dealing with the following events: Vulnerabilities; OIS-03 ¶ 1 Bullet 1 In the case of outsourced development of the cloud service (or individual system components), specifications regarding the following aspects are contractually agreed between the Cloud Service Provider and the outsourced development contractor: Providing evidence that sufficient verifications have been carried out to rule out the existence of known vulnerabilities. DEV-02 ¶ 1 Bullet 3 Policies and instructions for controlling and monitoring third parties (e.g. service providers or suppliers) whose services contribute to the provision of the cloud service are documented, communicated and provided in accordance with SP-01 with respect to the following aspects: Requirements for dealing with vulnerabilities, security incidents and malfunctions; SSO-01 ¶ 1 Bullet 6 The procedures for identifying such vulnerabilities are part of the software development process and, depending on a risk assessment, include the following activities: Obtaining information about confirmed vulnerabilities in software libraries provided by third parties and used in their own cloud service. PSS-02 ¶ 2 Bullet 4] | Acquisition or sale of facilities, technology, and services | Preventive | |
| Disseminate and communicate acquisition approval requirements to all affected parties. CC ID 13706 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Notify the supervisory authority of the safeguards employed to protect the data subject's rights. CC ID 12605 [Investigation requests from government agencies are subjected to a legal assessment by subject matter experts of the Cloud Service Provider. The assessment determines whether the government agency has an applicable and legally valid legal basis and what further steps need to be taken. INQ-01 ¶ 1] | Privacy protection for information and data | Preventive | |
| Notify the data subject after their personal data is disposed, as necessary. CC ID 13502 | Privacy protection for information and data | Preventive | |
| Disseminate and communicate the disclosure requirements to interested personnel and affected parties. CC ID 16901 | Privacy protection for information and data | Preventive | |
| Notify the data subject of the disclosure purpose. CC ID 15268 | Privacy protection for information and data | Preventive | |
| Notify the individual of the organization's legal rights to refuse the personal data access request, as necessary. CC ID 13509 [In the system description, the Cloud Service Provider provides comprehensible and transparent information on how investigation enquiries by government agencies for access to or disclosure of cloud customer data are handled. The information includes the following aspects: Procedures to verify the legal basis of such enquiries; BC-05 ¶ 1 Bullet 1] | Privacy protection for information and data | Preventive | |
| Notify that data subject of any exclusions to requested personal data. CC ID 15271 | Privacy protection for information and data | Preventive | |
| Notify individuals of the new time limit for responding to an access request in a notice of extension. CC ID 13599 | Privacy protection for information and data | Preventive | |
| Disseminate and communicate the data handling policy to all interested personnel and affected parties. CC ID 15465 | Privacy protection for information and data | Preventive | |
| Disseminate and communicate the data handling procedures to all interested personnel and affected parties. CC ID 15466 [Policies and instructions for the secure handling of metadata (usage data) are documented, communicated and provided according to SP-01 with regard to the following aspects: Exclusively anonymous metadata to deploy and enhance the cloud service so that no conclusions can be drawn about the cloud customer or user; OPS-11 ¶ 1 Bullet 2] | Privacy protection for information and data | Preventive | |
| Disseminate and communicate third party contracts to interested personnel and affected parties. CC ID 17301 | Third Party and supply chain oversight | Preventive | |
| Disseminate and communicate the Third Party Service Provider list to interested personnel and affected parties. CC ID 14422 | Third Party and supply chain oversight | Preventive | |
| Disseminate and communicate the supply chain management policy to all interested personnel and affected parties. CC ID 15493 | Third Party and supply chain oversight | Preventive | |
Configuration | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Enable the logging capability to capture enough information to ensure the system is functioning according to its intended purpose throughout its life cycle. CC ID 15001 | Monitoring and measurement | Preventive | |
| Synchronize system clocks to an accurate and universal time source on all devices. CC ID 01340 [The Cloud Service Provider has established policies and instructions that govern the logging and monitoring of events on system components within its area of responsibility. These policies and instructions are documented, communicated and provided according to SP-01 with respect to the following aspects: Time synchronisation of system components; and OPS-10 ¶ 1 Bullet 5] | Monitoring and measurement | Preventive | |
| Deny network access to rogue devices until network access approval has been received. CC ID 11852 [The security measures are designed to detect and prevent unauthorised access so that the information security of the cloud service is not compromised. PS-03 ¶ 2] | Monitoring and measurement | Preventive | |
| Update the vulnerability scanners' vulnerability list. CC ID 10634 [The Cloud Service Provider operates or refers to a daily updated online register of known vulnerabilities that affect the Cloud Service Provider and assets provided by the Cloud Service Provider that the cloud customers have to install, provide or operate themselves under the customers responsibility PSS-03 ¶ 1 The type and scope of the information provided will be based on the needs of subject matter experts of the cloud customers who set information security requirements, implement them or verify the implementation (e.g. IT, Compliance, Internal Audit). The information in the guidelines and recommendations for the secure use of the cloud service address the following aspects, where applicable to the cloud service: Information sources on known vulnerabilities and update mechanisms; PSS-01 ¶ 2 Bullet 2] | Monitoring and measurement | Corrective | |
| Disallow the use of payment applications when a vulnerability scan report indicates vulnerabilities are present. CC ID 12188 | Monitoring and measurement | Corrective | |
| Configure access control lists in accordance with organizational standards. CC ID 16465 | Technical security | Preventive | |
| Separate processing domains to segregate user privileges and enhance information flow control. CC ID 06767 [Data traffic of cloud customers in jointly used network environments is segregated on network level according to a documented concept to ensure the confidentiality and integrity of the data transmitted. COS-06 ¶ 1] | Technical security | Preventive | |
| Configure the lockout procedure to disregard failed logon attempts after the user is authenticated. CC ID 13822 | Technical security | Preventive | |
| Configure the "tlsverify" argument to organizational standards. CC ID 14460 | Technical security | Preventive | |
| Configure the "tlscacert" argument to organizational standards. CC ID 14521 | Technical security | Preventive | |
| Configure the "tlscert" argument to organizational standards. CC ID 14520 | Technical security | Preventive | |
| Configure the "tlskey" argument to organizational standards. CC ID 14519 | Technical security | Preventive | |
| Enable access control for objects and users on each system. CC ID 04553 [Access to system components for logging and monitoring in the Cloud Service Provider's area of responsibility is restricted to authorised users. Changes to the configuration are made in accordance with the applicable policies (cf. DEV-03). OPS-16 ¶ 1 The Cloud Service Provider offers cloud customers a self-service with which they can independently assign and change user accounts and access rights. IDM-02 ¶ 2 Access to the functions provided by the cloud service is restricted by access controls (authorisation mechanisms) that verify whether users, IT components, or applications are authorised to perform certain actions. PSS-09 ¶ 1 {attribute-based access control} Access controls are attribute-based to enable granular and contextual checks against multiple attributes of a user, IT component, or application (e.g., role, location, authentication method). PSS-09 ¶ 3 If cloud customers operate virtual machines or containers with the cloud service, the Cloud Service Provider must ensure the following aspects: The cloud customer can restrict the selection of images of virtual machines or containers according to his specifications, so that users of this cloud customer can only launch the images or containers released according to these restrictions. PSS-11 ¶ 1 Bullet 1] | Technical security | Preventive | |
| Assign authentication mechanisms for user account authentication. CC ID 06856 [The Cloud Service Provider provides authentication mechanisms that can force strong authentication (e.g. two or more factors) for users, IT components or applications within the cloud users' area of responsibility. PSS-05 ¶ 1] | Technical security | Preventive | |
| Establish, implement, and maintain a firewall and router configuration standard. CC ID 00541 | Technical security | Preventive | |
| Configure network ports to organizational standards. CC ID 14007 | Technical security | Preventive | |
| Configure network access and control points to organizational standards. CC ID 12442 [{alternate} The cloud service can be accessed by other cloud services or IT systems of cloud customers through documented inbound and outbound interfaces. Further, the interfaces are clearly documented for subject matter experts on how they can be used to retrieve the data. PI-01 ¶ 1 These authentication mechanisms are set up at all access points that allow users, IT components or applications to interact with the cloud service. PSS-05 ¶ 2] | Technical security | Detective | |
| Configure network flow monitoring to organizational standards. CC ID 16364 [{trusted network} A distinction is made between trusted and untrusted networks. Based on a risk assessment, these are separated into different security zones for internal and external network areas (and DMZ, if applicable). Physical and virtualised network environments are designed and configured to restrict and monitor the established connection to trusted or untrusted networks according to the defined security requirements. COS-03 ¶ 1] | Technical security | Preventive | |
| Control remote administration in accordance with organizational standards. CC ID 04459 [{acceptable use policy} {remote management} Policies and instructions for acceptable use and safe handling of assets are documented, communicated and provided in accordance with SP-01 and address the following aspects of the asset lifecycle as applicable to the asset: Remote deactivation, deletion or blocking; AM-02 ¶ 1 Bullet 9] | Technical security | Preventive | |
| Implement multifactor authentication techniques. CC ID 00561 [The requirements for the access control system are documented, communicated and provided in a policy or concept in accordance with SP-01 and include the following aspects: Two-factor authentication for access to areas hosting system components that process cloud customer information; PS-04 ¶ 3 Bullet 4 Access to system components for logging and monitoring in the Cloud Service Provider's area of responsibility requires two-factor authentication. OPS-16 ¶ 2 System components in the Cloud Service Provider's area of responsibility that are used to provide the cloud service, authenticate users of the Cloud Service Provider's internal and external employees as well as system components that are involved in the Cloud Service Provider's automated authorisation processes. Access to the production environment requires two-factor or multi-factor authentication. Within the production environment, user authentication takes place through passwords, digitally signed certificates or procedures that achieve at least an equivalent level of security. If digitally signed certificates are used, administration is carried out in accordance with the Guideline for Key Management (cf. CRY-01). The password requirements are derived from a risk assessment and documented, communicated and provided in a password policy according to SP-01. Compliance with the requirements is enforced by the configuration of the system components, as far as technically possible. IDM-09 ¶ 1 Access to the non-production environment requires two-factor or multi-factor authentication. Within the non-production environment, users are authenticated using passwords, digitally signed certificates, or procedures that provide at least an equivalent level of security. IDM-09 ¶ 2 {dedicated network} There are separate networks for the administrative management of the infrastructure and for the operation of management consoles. These networks are logically or physically separated from the cloud customer's network and protected from unauthorised access by multi-factor authentication (cf. IDM-09). Networks used by the Cloud Service Provider to migrate or create virtual machines are also physically or logically separated from other networks. COS-05 ¶ 1 The Cloud Service Provider provides authentication mechanisms that can force strong authentication (e.g. two or more factors) for users, IT components or applications within the cloud users' area of responsibility. PSS-05 ¶ 1] | Technical security | Preventive | |
| Ensure restricted data or restricted information are encrypted prior to or at the time of transmission. CC ID 01749 [{physical security measure} {be the same} The Cloud Service Provider transfers data to be backed up to a remote location or transports these on backup media to a remote location. If the data backup is transmitted to the remote location via a network, the data backup or the transmission of the data takes place in an encrypted form that corresponds to the state-of-the-art. The distance to the main site is chosen after sufficient consideration of the factors recovery times and impact of disasters on both sites. The physical and environmental security measures at the remote site are at the same level as at the main site. OPS-09 ¶ 1 {physical security measure} {be the same} The Cloud Service Provider transfers data to be backed up to a remote location or transports these on backup media to a remote location. If the data backup is transmitted to the remote location via a network, the data backup or the transmission of the data takes place in an encrypted form that corresponds to the state-of-the-art. The distance to the main site is chosen after sufficient consideration of the factors recovery times and impact of disasters on both sites. The physical and environmental security measures at the remote site are at the same level as at the main site. OPS-09 ¶ 1] | Technical security | Preventive | |
| Install security and protection software, as necessary. CC ID 00575 [System components under the Cloud Service Provider's responsibility that are used to deploy the cloud service in the production environment are configured with malware protection according to the policies and instructions. If protection programs are set up with signature and behaviour-based malware detection and removal, these protection programs are updated at least daily. OPS-05 ¶ 1] | Technical security | Preventive | |
| Employ an open virtualization format for provisioning software for virtual machines, as necessary. CC ID 12356 | Technical security | Preventive | |
| Employ resource-isolation mechanisms in virtual environments. CC ID 12178 [{shared resource} Cloud customer data stored and processed on shared virtual and physical resources is securely and strictly separated according to a documented approach based on OIS-07 risk analysis to ensure the confidentiality and integrity of this data. OPS-24 ¶ 1] | Technical security | Preventive | |
| Install doors so that exposed hinges are on the secured side. CC ID 06687 | Physical and environmental protection | Preventive | |
| Install emergency doors to permit egress only. CC ID 06688 | Physical and environmental protection | Preventive | |
| Install contact alarms on doors, as necessary. CC ID 06710 | Physical and environmental protection | Preventive | |
| Install contact alarms on openable windows, as necessary. CC ID 06690 | Physical and environmental protection | Preventive | |
| Install glass break alarms on windows, as necessary. CC ID 06691 | Physical and environmental protection | Preventive | |
| Install and maintain fire protection equipment. CC ID 00728 [Premises and buildings related to the cloud service provided are protected from fire and smoke by structural, technical and organisational measures that meet the security requirements of the Cloud Service Provider (cf. PS-01 Security Concept) and include the following aspects: Early fire detection with automatic voltage release. The monitored areas are sufficiently fragmented to ensure that the prevention of the spread of incipient fires is proportionate to the maintenance of the availability of the cloud service provided; PS-05 ¶ 1(b) Bullet 1 {fire extinguishing system} Premises and buildings related to the cloud service provided are protected from fire and smoke by structural, technical and organisational measures that meet the security requirements of the Cloud Service Provider (cf. PS-01 Security Concept) and include the following aspects: Extinguishing system or oxygen reduction; and PS-05 ¶ 1(b) Bullet 2 The security requirements for data centres are based on criteria which comply with established rules of technology. They are suitable for addressing the following risks in accordance with the applicable legal and contractual requirements: Fire and smoke; PS-01 ¶ 2 Bullet 5] | Physical and environmental protection | Preventive | |
| Install and maintain fire suppression systems. CC ID 00729 [The security requirements for data centres are based on criteria which comply with established rules of technology. They are suitable for addressing the following risks in accordance with the applicable legal and contractual requirements: Fire and smoke; PS-01 ¶ 2 Bullet 5 Premises and buildings related to the cloud service provided are protected from fire and smoke by structural, technical and organisational measures that meet the security requirements of the Cloud Service Provider (cf. PS-01 Security Concept) and include the following aspects: PS-05 ¶ 1] | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a Heating Ventilation and Air Conditioning system. CC ID 00727 [{be insufficient} The security requirements for data centres are based on criteria which comply with established rules of technology. They are suitable for addressing the following risks in accordance with the applicable legal and contractual requirements: Insufficient air-conditioning; PS-01 ¶ 2 Bullet 4 {operating parameter} {be the highest} The cooling supply is designed in such a way that the permissible operating and environmental parameters are also ensured on at least five consecutive days with the highest outside temperatures measured to date within a radius of at least 50 km around the locations of the premises and buildings, with a safety margin of 3 K (in relation to the outside temperature). The Cloud Service Provider has previously determined the highest outdoor temperatures measured to date (cf. PS-01 Security Concept). PS-06 ¶ 3] | Physical and environmental protection | Preventive | |
| Install and maintain dust collection and filtering as a part of the Heating Ventilation and Air Conditioning system. CC ID 06368 [The security requirements for data centres are based on criteria which comply with established rules of technology. They are suitable for addressing the following risks in accordance with the applicable legal and contractual requirements: Air ventilation and filtration. PS-01 ¶ 2 Bullet 8] | Physical and environmental protection | Preventive | |
| Install and maintain backup Heating Ventilation and Air Conditioning equipment. CC ID 06369 [{power supply} Measures to prevent the failure of the technical supply facilities required for the operation of system components with which information from cloud customers is processed, are documented and set up in accordance with the security requirements of the Cloud Service Provider (cf. PS-01 Security Concept) with respect to the following aspects: Operational redundancy (N+1) in power and cooling supply PS-06 ¶ 1(a)] | Physical and environmental protection | Preventive | |
| Protect physical assets from water damage. CC ID 00730 [The security requirements for data centres are based on criteria which comply with established rules of technology. They are suitable for addressing the following risks in accordance with the applicable legal and contractual requirements: Water; PS-01 ¶ 2 Bullet 6] | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain redundant systems. CC ID 16354 | Operational and Systems Continuity | Preventive | |
| Install an Uninterruptible Power Supply sized to support all critical systems. CC ID 00725 [The security requirements for data centres are based on criteria which comply with established rules of technology. They are suitable for addressing the following risks in accordance with the applicable legal and contractual requirements: Power failure; and PS-01 ¶ 2 Bullet 7] | Operational and Systems Continuity | Preventive | |
| Install a generator sized to support the facility. CC ID 06709 | Operational and Systems Continuity | Preventive | |
| Install and maintain redundant power supplies for critical facilities. CC ID 06355 [{power supply facility} Measures to prevent the failure of the technical supply facilities required for the operation of system components with which information from cloud customers is processed, are documented and set up in accordance with the security requirements of the Cloud Service Provider (cf. PS-01 Security Concept) with respect to the following aspects: PS-06 ¶ 1 {power supply} Measures to prevent the failure of the technical supply facilities required for the operation of system components with which information from cloud customers is processed, are documented and set up in accordance with the security requirements of the Cloud Service Provider (cf. PS-01 Security Concept) with respect to the following aspects: Operational redundancy (N+1) in power and cooling supply PS-06 ¶ 1(a) Uninterruptible Power Supplies (UPS) and Emergency Power Supplies (NPS) are designed to meet the availability requirements defined in the Service Level Agreement. PS-06 ¶ 2] | Operational and Systems Continuity | Preventive | |
| Run primary power lines and secondary power lines via diverse path feeds to organizational facilities, as necessary. CC ID 06696 | Operational and Systems Continuity | Preventive | |
| Reconfigure restored systems to meet the Recovery Point Objectives. CC ID 01256 | Operational and Systems Continuity | Corrective | |
| Encrypt backup data. CC ID 00958 [{encrypted format} Policies and instructions for data backup and recovery are documented, communicated and provided in accordance with SP-01 regarding the following aspects. Data is backed up in encrypted, state-of-the- art form; OPS-06 ¶ 1 Bullet 2 {physical security measure} {be the same} The Cloud Service Provider transfers data to be backed up to a remote location or transports these on backup media to a remote location. If the data backup is transmitted to the remote location via a network, the data backup or the transmission of the data takes place in an encrypted form that corresponds to the state-of-the-art. The distance to the main site is chosen after sufficient consideration of the factors recovery times and impact of disasters on both sites. The physical and environmental security measures at the remote site are at the same level as at the main site. OPS-09 ¶ 1] | Operational and Systems Continuity | Preventive | |
| Configure the alternate facility to meet the least needed operational capabilities. CC ID 01395 [The cloud service is provided from two locations that are redundant to each other. The locations meet the security requirements of the Cloud Service Provider (cf. PS-01 Security Concept) and are located in an adequate distance to each other to achieve operational redundancy. Operational redundancy is designed in a way that ensures that the availability requirements specified in the service level agreement are met. The functionality of the redundancy is checked at least annually by suitable tests and exercises (cf. BCM-04 – Verification, updating and testing of business continuity). PS-02 ¶ 1 {separate} The cloud service is provided from more than two locations that provide each other with redundancy. The locations are sufficiently far apart to achieve georedundancy. If two locations fail at the same time, at least one third location is still available to prevent a total service failure. The georedundancy is designed in a way that ensures that the availability requirements specified in the service level agreement are met. The functionality of the redundancy is checked at least annually by suitable tests and exercises (cf. BCM-04 – Verification, updating and testing of business continuity). PS-02 ¶ 2 {physical security measure} {be the same} The Cloud Service Provider transfers data to be backed up to a remote location or transports these on backup media to a remote location. If the data backup is transmitted to the remote location via a network, the data backup or the transmission of the data takes place in an encrypted form that corresponds to the state-of-the-art. The distance to the main site is chosen after sufficient consideration of the factors recovery times and impact of disasters on both sites. The physical and environmental security measures at the remote site are at the same level as at the main site. OPS-09 ¶ 1] | Operational and Systems Continuity | Preventive | |
| Reset systems to the default configuration prior to when the system is redeployed or the system is disposed. CC ID 16968 | Operational management | Preventive | |
| Establish, implement, and maintain a configuration change log. CC ID 08710 [{access rights management plan} System components and tools for source code management and software deployment that are used to make changes to system components of the cloud service in the production environment are subject to a role and rights concept according to IDM-01 and authorisation mechanisms. They must be configured in such a way that all changes are logged and can therefore be traced back to the individuals or system components executing them. DEV-07 ¶ 1] | Operational management | Detective | |
| Configure automatic logoff to terminate the sessions based on inactivity according to organizational standards. CC ID 04490 [{be inactive} To protect confidentiality, availability, integrity and authenticity during interactions with the cloud service, a suitable session management system is used that at least corresponds to the state- of-the-art and is protected against known attacks. Mechanisms are implemented that invalidate a session after it has been detected as inactive. The inactivity can be detected by time measurement. In this case, the time interval can be configured by the Cloud Service Provider or – if technically possible – by the cloud customer. PSS-06 ¶ 1] | System hardening through configuration management | Preventive | |
| Install critical security updates and important security updates in a timely manner. CC ID 01696 [{acceptable use policy} Policies and instructions for acceptable use and safe handling of assets are documented, communicated and provided in accordance with SP-01 and address the following aspects of the asset lifecycle as applicable to the asset: Requirements for versions of software and images as well as application of patches; AM-02 ¶ 1 Bullet 5 {time frame} For each vulnerability, it is indicated whether software updates (e.g. patch, update) are available, when they will be rolled out and whether they will be deployed by the Cloud Service Provider, the cloud customer or both of them together. PSS-03 ¶ 4] | System hardening through configuration management | Preventive | |
| Configure Least Functionality and Least Privilege settings to organizational standards. CC ID 07599 [The rights profiles are suitable for enabling cloud users to manage access authorisations and permissions in accordance with the principle of least-privilege and how it is necessary for the performance of tasks ("need-to-know principle") and to implement the principle of functional separation between operational and controlling functions ("separation of duties"). PSS-08 ¶ 2 The rights profiles are suitable for enabling cloud users to manage access authorisations and permissions in accordance with the principle of least-privilege and how it is necessary for the performance of tasks ("need-to-know principle") and to implement the principle of functional separation between operational and controlling functions ("separation of duties"). PSS-08 ¶ 2] | System hardening through configuration management | Preventive | |
| Prohibit directories from having read/write capability, as appropriate. CC ID 16313 | System hardening through configuration management | Preventive | |
| Configure "Block public access (bucket settings)" to organizational standards. CC ID 15444 | System hardening through configuration management | Preventive | |
| Configure S3 Bucket Policies to organizational standards. CC ID 15431 | System hardening through configuration management | Preventive | |
| Configure "Allow suggested apps in Windows Ink Workspace" to organizational standards. CC ID 15417 | System hardening through configuration management | Preventive | |
| Configure "Allow Cloud Search" to organizational standards. CC ID 15416 | System hardening through configuration management | Preventive | |
| Configure "Configure Watson events" to organizational standards. CC ID 15414 | System hardening through configuration management | Preventive | |
| Configure "Allow Clipboard synchronization across devices" to organizational standards. CC ID 15412 | System hardening through configuration management | Preventive | |
| Configure "Prevent users from modifying settings" to organizational standards. CC ID 15411 | System hardening through configuration management | Preventive | |
| Configure "Prevent users from sharing files within their profile" to organizational standards. CC ID 15408 | System hardening through configuration management | Preventive | |
| Configure "Manage preview builds" to organizational standards. CC ID 15405 | System hardening through configuration management | Preventive | |
| Configure "Turn off Help Experience Improvement Program" to organizational standards. CC ID 15403 | System hardening through configuration management | Preventive | |
| Configure "Sign-in and lock last interactive user automatically after a restart" to organizational standards. CC ID 15402 | System hardening through configuration management | Preventive | |
| Configure "Hardened UNC Paths" to organizational standards. CC ID 15400 | System hardening through configuration management | Preventive | |
| Configure "Turn off all Windows spotlight features" to organizational standards. CC ID 15397 | System hardening through configuration management | Preventive | |
| Configure "Allow Message Service Cloud Sync" to organizational standards. CC ID 15396 | System hardening through configuration management | Preventive | |
| Configure "Configure local setting override for reporting to Microsoft MAPS" to organizational standards. CC ID 15394 | System hardening through configuration management | Preventive | |
| Configure "Configure Windows spotlight on lock screen" to organizational standards. CC ID 15391 | System hardening through configuration management | Preventive | |
| Configure "Do not suggest third-party content in Windows spotlight" to organizational standards. CC ID 15389 | System hardening through configuration management | Preventive | |
| Configure "Enable Font Providers" to organizational standards. CC ID 15388 | System hardening through configuration management | Preventive | |
| Configure "Disallow copying of user input methods to the system account for sign-in" to organizational standards. CC ID 15386 | System hardening through configuration management | Preventive | |
| Configure "Do not display network selection UI" to organizational standards. CC ID 15381 | System hardening through configuration management | Preventive | |
| Configure "Turn off KMS Client Online AVS Validation" to organizational standards. CC ID 15380 | System hardening through configuration management | Preventive | |
| Configure "Allow Telemetry" to organizational standards. CC ID 15378 | System hardening through configuration management | Preventive | |
| Configure "Allow users to enable online speech recognition services" to organizational standards. CC ID 15377 | System hardening through configuration management | Preventive | |
| Configure "Prevent enabling lock screen camera" to organizational standards. CC ID 15373 | System hardening through configuration management | Preventive | |
| Configure "Continue experiences on this device" to organizational standards. CC ID 15372 | System hardening through configuration management | Preventive | |
| Configure "Prevent the usage of OneDrive for file storage" to organizational standards. CC ID 15369 | System hardening through configuration management | Preventive | |
| Configure "Do not use diagnostic data for tailored experiences" to organizational standards. CC ID 15367 | System hardening through configuration management | Preventive | |
| Configure "Network access: Restrict clients allowed to make remote calls to SAM" to organizational standards. CC ID 15365 | System hardening through configuration management | Preventive | |
| Configure "Turn off Microsoft consumer experiences" to organizational standards. CC ID 15363 | System hardening through configuration management | Preventive | |
| Configure "Allow Use of Camera" to organizational standards. CC ID 15362 | System hardening through configuration management | Preventive | |
| Configure "Allow Online Tips" to organizational standards. CC ID 15360 | System hardening through configuration management | Preventive | |
| Configure "Turn off cloud optimized content" to organizational standards. CC ID 15357 | System hardening through configuration management | Preventive | |
| Configure "Apply UAC restrictions to local accounts on network logons" to organizational standards. CC ID 15356 | System hardening through configuration management | Preventive | |
| Configure "Toggle user control over Insider builds" to organizational standards. CC ID 15354 | System hardening through configuration management | Preventive | |
| Configure "Allow network connectivity during connected-standby (plugged in)" to organizational standards. CC ID 15353 | System hardening through configuration management | Preventive | |
| Configure "Do not show feedback notifications" to organizational standards. CC ID 15350 | System hardening through configuration management | Preventive | |
| Configure "Prevent enabling lock screen slide show" to organizational standards. CC ID 15349 | System hardening through configuration management | Preventive | |
| Configure "Turn off the advertising ID" to organizational standards. CC ID 15348 | System hardening through configuration management | Preventive | |
| Configure "Allow Windows Ink Workspace" to organizational standards. CC ID 15346 | System hardening through configuration management | Preventive | |
| Configure "Allow a Windows app to share application data between users" to organizational standards. CC ID 15345 | System hardening through configuration management | Preventive | |
| Configure "Turn off handwriting personalization data sharing" to organizational standards. CC ID 15339 | System hardening through configuration management | Preventive | |
| Configure virtual networks in accordance with the information security policy. CC ID 13165 [{physical separation} In the case of IaaS/PaaS, the secure segregation is ensured by physically separated networks or by means of strongly encrypted VLANs. For the definition of strong encryption, the BSI Technical Guideline TR-02102 must be considered. COS-06 ¶ 2] | System hardening through configuration management | Preventive | |
| Configure authenticators to comply with organizational standards. CC ID 06412 [The allocation of authentication information to access system components used to provide the cloud service to internal and external users of the cloud provider and system components that are involved in automated authorisation processes of the cloud provider is done in an orderly manner that ensures the confidentiality of the information. If passwords are used as authentication information, their confidentiality is ensured by the following procedures, as far as technically possible: When creating passwords, compliance with the password specifications (cf. IDM-09) is enforced as far as technically possible. IDM-08 ¶ 1 Bullet 2 System components in the Cloud Service Provider's area of responsibility that are used to provide the cloud service, authenticate users of the Cloud Service Provider's internal and external employees as well as system components that are involved in the Cloud Service Provider's automated authorisation processes. Access to the production environment requires two-factor or multi-factor authentication. Within the production environment, user authentication takes place through passwords, digitally signed certificates or procedures that achieve at least an equivalent level of security. If digitally signed certificates are used, administration is carried out in accordance with the Guideline for Key Management (cf. CRY-01). The password requirements are derived from a risk assessment and documented, communicated and provided in a password policy according to SP-01. Compliance with the requirements is enforced by the configuration of the system components, as far as technically possible. IDM-09 ¶ 1] | System hardening through configuration management | Preventive | |
| Configure the system to require new users to change their authenticator on first use. CC ID 05268 [The allocation of authentication information to access system components used to provide the cloud service to internal and external users of the cloud provider and system components that are involved in automated authorisation processes of the cloud provider is done in an orderly manner that ensures the confidentiality of the information. If passwords are used as authentication information, their confidentiality is ensured by the following procedures, as far as technically possible: Users can initially create the password themselves or must change an initial password when logging on to the system component for the first time. An initial password loses its validity after a maximum of 14 days. IDM-08 ¶ 1 Bullet 1 If passwords are used as authentication information for the cloud service, their confidentiality is ensured by the following procedures: Users can initially create the password themselves or must change an initial password when logging in to the cloud service for the first time. An initial password loses its validity after a maximum of 14 days. PSS-07 ¶ 1 Bullet 1] | System hardening through configuration management | Preventive | |
| Configure the system to encrypt authenticators. CC ID 06735 [The allocation of authentication information to access system components used to provide the cloud service to internal and external users of the cloud provider and system components that are involved in automated authorisation processes of the cloud provider is done in an orderly manner that ensures the confidentiality of the information. If passwords are used as authentication information, their confidentiality is ensured by the following procedures, as far as technically possible: The server-side storage takes place using cryptographically strong hash functions. IDM-08 ¶ 1 Bullet 4 If passwords are used as authentication information for the cloud service, their confidentiality is ensured by the following procedures: The server-side storage takes place using state-of-the-art cryptographically strong hash functions in combination with at least 32-bit long salt values. PSS-07 ¶ 1 Bullet 4] | System hardening through configuration management | Preventive | |
| Configure the system to refrain from specifying the type of information used as password hints. CC ID 13783 | System hardening through configuration management | Preventive | |
| Configure user accounts. CC ID 07036 | System hardening through configuration management | Preventive | |
| Review and restrict network addresses and network protocols. CC ID 01518 [Policies and instructions with technical and organisational safeguards for encryption procedures and key management are documented, communicated and provided according to SP-01, in which the following aspects are described: Usage of strong encryption procedures and secure network protocols that correspond to the state-of-the-art; CRY-01 ¶ 1 Bullet 1 {insecure protocol} At specified intervals, the business justification for using all services, protocols, and ports is reviewed. The review also includes the justifications for compensatory measures for the use of protocols that are considered insecure. COS-03 ¶ 4] | System hardening through configuration management | Preventive | |
| Configure Network Address Translation to organizational standards. CC ID 16395 | System hardening through configuration management | Preventive | |
| Enable or disable tunneling, as necessary. CC ID 15235 | System hardening through configuration management | Preventive | |
| Disable Pre-boot eXecution Environment unless it is absolutely necessary. CC ID 04819 | System hardening through configuration management | Preventive | |
| Configure the Access Control List to restrict connections between untrusted networks and any system that holds restricted data or restricted information. CC ID 06077 [{trusted network} A distinction is made between trusted and untrusted networks. Based on a risk assessment, these are separated into different security zones for internal and external network areas (and DMZ, if applicable). Physical and virtualised network environments are designed and configured to restrict and monitor the established connection to trusted or untrusted networks according to the defined security requirements. COS-03 ¶ 1] | System hardening through configuration management | Preventive | |
| Configure wireless communication to be encrypted using strong cryptography. CC ID 06078 [Communication takes place through standardised communication protocols that ensure the confidentiality and integrity of the transmitted information according to its protection requirements. Communication over untrusted networks is encrypted according to CRY-02. PI-01 ¶ 2] | System hardening through configuration management | Preventive | |
| Enable or disable the Uninterruptible Power Supply service, as appropriate. CC ID 06037 | System hardening through configuration management | Preventive | |
| Establish, implement, and maintain virtualization configuration settings. CC ID 07110 | System hardening through configuration management | Preventive | |
| Implement the security features of hypervisor to protect virtual machines. CC ID 12176 [{dedicated network} There are separate networks for the administrative management of the infrastructure and for the operation of management consoles. These networks are logically or physically separated from the cloud customer's network and protected from unauthorised access by multi-factor authentication (cf. IDM-09). Networks used by the Cloud Service Provider to migrate or create virtual machines are also physically or logically separated from other networks. COS-05 ¶ 1] | System hardening through configuration management | Preventive | |
| Configure network protection settings to organizational standards. CC ID 07601 [System components in the production environment used to provide the cloud service under the Cloud Service Provider's responsibility are hardened according to generally accepted industry standards. The hardening requirements for each system component are documented. OPS-23 ¶ 1 Ensure the protection of information in networks and the corresponding information processing systems Section 5.9 Objective] | System hardening through configuration management | Preventive | |
| Configure the "CNI" plugin to organizational standards. CC ID 14659 | System hardening through configuration management | Preventive | |
| Configure the "data-path-addr" argument to organizational standards. CC ID 14546 | System hardening through configuration management | Preventive | |
| Configure the "advertise-addr" argument to organizational standards. CC ID 14544 | System hardening through configuration management | Preventive | |
| Configure the "nftables" to organizational standards. CC ID 15320 | System hardening through configuration management | Preventive | |
| Configure the "iptables" to organizational standards. CC ID 14463 | System hardening through configuration management | Preventive | |
| Configure the "ip6tables" settings to organizational standards. CC ID 15322 | System hardening through configuration management | Preventive | |
| Configure the "insecure registries" to organizational standards. CC ID 14455 | System hardening through configuration management | Preventive | |
| Configure the "MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)" to organizational standards. CC ID 07602 | System hardening through configuration management | Preventive | |
| Configure the "MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes" to organizational standards. CC ID 07648 | System hardening through configuration management | Preventive | |
| Configure the "net-host" argument to organizational standards. CC ID 14529 | System hardening through configuration management | Preventive | |
| Configure the "firewalld" to organizational standards. CC ID 15321 | System hardening through configuration management | Preventive | |
| Configure the "network bridge" to organizational standards. CC ID 14501 | System hardening through configuration management | Preventive | |
| Configure the "Windows Firewall: Domain: Firewall state" to organizational standards. CC ID 07667 | System hardening through configuration management | Preventive | |
| Configure the "MSS: (Hidden) Hide Computer From the Browse List (not recommended except for highly secure environments)" to organizational standards. CC ID 07680 | System hardening through configuration management | Preventive | |
| Configure the "Windows Firewall: Public: Outbound connections" to organizational standards. CC ID 07695 | System hardening through configuration management | Preventive | |
| Configure the "MSS: (NoDefaultExempt) Configure IPSec exemptions for various types of network traffic." to organizational standards CC ID 07703 | System hardening through configuration management | Preventive | |
| Configure the "MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)" to organizational standards. CC ID 07733 | System hardening through configuration management | Preventive | |
| Configure the "publish" argument to organizational standards. CC ID 14500 | System hardening through configuration management | Preventive | |
| Configure the "Windows Firewall: Private: Inbound connections" to organizational standards. CC ID 07747 | System hardening through configuration management | Preventive | |
| Configure the "Windows Firewall: Private: Apply local firewall rules" to organizational standards. CC ID 07777 | System hardening through configuration management | Preventive | |
| Configure the "MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers" to organizational standards. CC ID 07801 | System hardening through configuration management | Preventive | |
| Configure the "Windows Firewall: Private: Firewall state" to organizational standards. CC ID 07803 | System hardening through configuration management | Preventive | |
| Configure the "Windows Firewall: Domain: Apply local connection security rules" to organizational standards. CC ID 07805 | System hardening through configuration management | Preventive | |
| Configure the "Windows Firewall: Domain: Apply local firewall rules" to organizational standards. CC ID 07833 | System hardening through configuration management | Preventive | |
| Configure the "Windows Firewall: Public: Display a notification" to organizational standards. CC ID 07836 | System hardening through configuration management | Preventive | |
| Configure the "Windows Firewall: Domain: Outbound connections" to organizational standards. CC ID 07839 | System hardening through configuration management | Preventive | |
| Configure the "Windows Firewall: Public: Apply local firewall rules" to organizational standards. CC ID 07850 | System hardening through configuration management | Preventive | |
| Configure the "Windows Firewall: Domain: Inbound connections" to organizational standards. CC ID 07851 | System hardening through configuration management | Preventive | |
| Configure the "Windows Firewall: Private: Outbound connections" to organizational standards. CC ID 07858 | System hardening through configuration management | Preventive | |
| Configure the "Windows Firewall: Public: Firewall state" to organizational standards. CC ID 07861 | System hardening through configuration management | Preventive | |
| Configure the "Windows Firewall: Domain: Display a notification" to organizational standards. CC ID 07868 | System hardening through configuration management | Preventive | |
| Configure the "Windows Firewall: Public: Inbound connections" to organizational standards. CC ID 07872 | System hardening through configuration management | Preventive | |
| Configure the "Windows Firewall: Public: Allow unicast response" to organizational standards. CC ID 07873 | System hardening through configuration management | Preventive | |
| Configure the "Windows Firewall: Private: Allow unicast response" to organizational standards. CC ID 07885 | System hardening through configuration management | Preventive | |
| Configure the "Windows Firewall: Public: Apply local connection security rules" to organizational standards. CC ID 07890 | System hardening through configuration management | Preventive | |
| Configure the "Windows Firewall: Domain: Allow unicast response" to organizational standards. CC ID 07893 | System hardening through configuration management | Preventive | |
| Configure the "Windows Firewall: Private: Apply local connection security rules" to organizational standards. CC ID 07896 | System hardening through configuration management | Preventive | |
| Configure the "Windows Firewall: Private: Display a notification" to organizational standards. CC ID 07902 | System hardening through configuration management | Preventive | |
| Configure the "Windows Firewall: Protect all network connections" to organizational standards. CC ID 08161 | System hardening through configuration management | Preventive | |
| Configure the "Windows Firewall: Allow inbound UPnP framework exceptions" to organizational standards. CC ID 08170 | System hardening through configuration management | Preventive | |
| Configure the "Windows Firewall: Allow local program exceptions" to organizational standards. CC ID 08173 | System hardening through configuration management | Preventive | |
| Configure the "Windows Firewall: Do not allow exceptions" to organizational standards. CC ID 08184 | System hardening through configuration management | Preventive | |
| Configure the "MSS: (DisableSavePassword) Prevent the dial-up password from being saved (recommended)" to organizational standards. CC ID 08208 | System hardening through configuration management | Preventive | |
| Configure the "MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways (could lead to DoS)" to organizational standards. CC ID 08210 | System hardening through configuration management | Preventive | |
| Configure the "Windows Firewall: Allow local port exceptions" to organizational standards. CC ID 08214 | System hardening through configuration management | Preventive | |
| Configure the "Windows Firewall: Define inbound port exceptions" to organizational standards. CC ID 08215 | System hardening through configuration management | Preventive | |
| Configure the "Windows Firewall: Prohibit unicast response to multicast or broadcast requests" to organizational standards. CC ID 08217 | System hardening through configuration management | Preventive | |
| Configure the "Windows Firewall: Prohibit notifications" to organizational standards. CC ID 08249 | System hardening through configuration management | Preventive | |
| Configure the "Windows Firewall: Allow inbound file and printer sharing exception" to organizational standards. CC ID 08275 | System hardening through configuration management | Preventive | |
| Configure the "MSS: (TcpMaxConnectResponseRetransmissions) SYN-ACK retransmissions when a connection request is not acknowledged" to organizational standards. CC ID 08279 | System hardening through configuration management | Preventive | |
| Configure the "Windows Firewall: Define inbound program exceptions" to organizational standards. CC ID 08282 | System hardening through configuration management | Preventive | |
| Configure the "Windows Firewall: Allow ICMP exceptions" to organizational standards. CC ID 08289 | System hardening through configuration management | Preventive | |
| Configure the "Windows Firewall: Allow inbound Remote Desktop exceptions" to organizational standards. CC ID 08295 | System hardening through configuration management | Preventive | |
| Configure the "Allow unencrypted traffic" to organizational standards. CC ID 08383 | System hardening through configuration management | Preventive | |
| Configure the "Windows Firewall: Private: Logging: Log successful connections" to organizational standards. CC ID 08466 | System hardening through configuration management | Preventive | |
| Configure the "Windows Firewall: Public: Logging: Size limit (KB)" to organizational standards. CC ID 08494 | System hardening through configuration management | Preventive | |
| Configure the "Windows Firewall: Domain: Logging: Log successful connections" to organizational standards. CC ID 08544 | System hardening through configuration management | Preventive | |
| Configure the "Windows Firewall: Private: Logging: Name" to organizational standards. CC ID 08595 | System hardening through configuration management | Preventive | |
| Configure Logging settings in accordance with organizational standards. CC ID 07611 | System hardening through configuration management | Preventive | |
| Configure the storage parameters for all logs. CC ID 06330 [{be immutable} If non-modifiable ("immutable") images are used, compliance with the hardening specifications as defined in the hardening requirements is checked upon creation of the images. Configuration and log files regarding the continuous availability of the images are retained. OPS-23 ¶ 2] | System hardening through configuration management | Preventive | |
| Configure the event log settings for specific Operating System functions. CC ID 06337 | System hardening through configuration management | Preventive | |
| Generate an alert when an audit log failure occurs. CC ID 06737 [The Cloud Service Provider monitors the system components for logging and monitoring in its area of responsibility. Failures are automatically and promptly reported to the Cloud Service Provider's responsible departments so that these can assess the failures and take required action. OPS-17 ¶ 1] | System hardening through configuration management | Preventive | |
| Configure Key, Certificate, Password, Authentication and Identity Management settings in accordance with organizational standards. CC ID 07621 | System hardening through configuration management | Preventive | |
| Configure Identity and Access Management policies to organizational standards. CC ID 15422 [Specified procedures for granting and modifying user accounts and access rights for internal and external employees of the Cloud Service Provider as well as for system components involved in automated authorisation processes of the Cloud Service Provider ensure compliance with the role and rights concept as well as the policy for managing user accounts and access rights. IDM-02 ¶ 1] | System hardening through configuration management | Preventive | |
| Configure the "Maximum password age" to organizational standards. CC ID 07688 [The allocation of authentication information to access system components used to provide the cloud service to internal and external users of the cloud provider and system components that are involved in automated authorisation processes of the cloud provider is done in an orderly manner that ensures the confidentiality of the information. If passwords are used as authentication information, their confidentiality is ensured by the following procedures, as far as technically possible: Users can initially create the password themselves or must change an initial password when logging on to the system component for the first time. An initial password loses its validity after a maximum of 14 days. IDM-08 ¶ 1 Bullet 1 If passwords are used as authentication information for the cloud service, their confidentiality is ensured by the following procedures: Users can initially create the password themselves or must change an initial password when logging in to the cloud service for the first time. An initial password loses its validity after a maximum of 14 days. PSS-07 ¶ 1 Bullet 1] | System hardening through configuration management | Preventive | |
| Configure the "Minimum password length" to organizational standards. CC ID 07711 [{password length} If passwords are used as authentication information for the cloud service, their confidentiality is ensured by the following procedures: When creating passwords, compliance with the length and complexity requirements of the Cloud Service Provider (cf. IDM-09) or the cloud customer is technically enforced. PSS-07 ¶ 1 Bullet 2] | System hardening through configuration management | Preventive | |
| Configure the "Password must meet complexity requirements" to organizational standards. CC ID 07743 [{password length} If passwords are used as authentication information for the cloud service, their confidentiality is ensured by the following procedures: When creating passwords, compliance with the length and complexity requirements of the Cloud Service Provider (cf. IDM-09) or the cloud customer is technically enforced. PSS-07 ¶ 1 Bullet 2] | System hardening through configuration management | Preventive | |
| Configure security and protection software to enable automatic updates. CC ID 11945 [System components under the Cloud Service Provider's responsibility that are used to deploy the cloud service in the production environment are configured with malware protection according to the policies and instructions. If protection programs are set up with signature and behaviour-based malware detection and removal, these protection programs are updated at least daily. OPS-05 ¶ 1] | System hardening through configuration management | Preventive | |
| Configure initial system hardening according to the secure configuration baseline. CC ID 13824 [System components in the production environment used to provide the cloud service under the Cloud Service Provider's responsibility are hardened according to generally accepted industry standards. The hardening requirements for each system component are documented. OPS-23 ¶ 1 {acceptable use policy} Policies and instructions for acceptable use and safe handling of assets are documented, communicated and provided in accordance with SP-01 and address the following aspects of the asset lifecycle as applicable to the asset: Secure configuration of mechanisms for error handling, logging, encryption, authentication and authorisation; AM-02 ¶ 1 Bullet 4] | System hardening through configuration management | Preventive | |
| Configure the system's password field with a unique default password. CC ID 13825 | System hardening through configuration management | Preventive | |
| Create a hardened image of the baseline configuration to be used for building new systems. CC ID 07063 [If cloud customers operate virtual machines or containers with the cloud service, the Cloud Service Provider must ensure the following aspects: In addition, these images provided by the Cloud Service Provider are hardened according to generally accepted industry standards. PSS-11 ¶ 1 Bullet 3] | System hardening through configuration management | Preventive | |
| Nest elements appropriately in website content using markup languages. CC ID 15154 | Systems design, build, and implementation | Preventive | |
| Use valid HTML or other markup languages. CC ID 15153 | Systems design, build, and implementation | Preventive | |
| Ensure users can navigate content. CC ID 15163 | Systems design, build, and implementation | Preventive | |
| Create text content using language that is readable and is understandable. CC ID 15167 | Systems design, build, and implementation | Preventive | |
| Ensure user interface components are operable. CC ID 15162 | Systems design, build, and implementation | Preventive | |
| Implement mechanisms to review, confirm, and correct user submissions. CC ID 15160 | Systems design, build, and implementation | Preventive | |
| Allow users to reverse submissions. CC ID 15168 | Systems design, build, and implementation | Preventive | |
| Provide a mechanism to control audio. CC ID 15158 | Systems design, build, and implementation | Preventive | |
| Allow modification of style properties without loss of content or functionality. CC ID 15156 | Systems design, build, and implementation | Preventive | |
| Programmatically determine the name and role of user interface components. CC ID 15148 | Systems design, build, and implementation | Preventive | |
| Programmatically determine the language of content. CC ID 15137 | Systems design, build, and implementation | Preventive | |
| Provide a mechanism to dismiss content triggered by mouseover or keyboard focus. CC ID 15164 | Systems design, build, and implementation | Preventive | |
| Configure repeated navigational mechanisms to occur in the same order unless overridden by the user. CC ID 15166 | Systems design, build, and implementation | Preventive | |
| Refrain from activating a change of context when changing the setting of user interface components, as necessary. CC ID 15165 | Systems design, build, and implementation | Preventive | |
| Provide users a mechanism to remap keyboard shortcuts. CC ID 15133 | Systems design, build, and implementation | Preventive | |
| Provide captions for live audio content. CC ID 15120 | Systems design, build, and implementation | Preventive | |
| Programmatically determine the purpose of each data field that collects information from the user. CC ID 15114 | Systems design, build, and implementation | Preventive | |
| Provide labels or instructions when content requires user input. CC ID 15077 | Systems design, build, and implementation | Preventive | |
| Allow users to control auto-updating information, as necessary. CC ID 15159 | Systems design, build, and implementation | Preventive | |
| Use headings on all web pages and labels in all content that describes the topic or purpose. CC ID 15070 | Systems design, build, and implementation | Preventive | |
| Display website content triggered by mouseover or keyboard focus. CC ID 15152 | Systems design, build, and implementation | Preventive | |
| Ensure the purpose of links can be determined through the link text. CC ID 15157 | Systems design, build, and implementation | Preventive | |
| Use a unique title that describes the topic or purpose for each web page. CC ID 15069 | Systems design, build, and implementation | Preventive | |
| Allow the use of time limits, as necessary. CC ID 15155 | Systems design, build, and implementation | Preventive | |
| Refrain from activating a change of context in a user interface component. CC ID 15115 | Systems design, build, and implementation | Preventive | |
| Configure software development tools in accordance with organizational standards. CC ID 16387 | Systems design, build, and implementation | Preventive | |
| Include passwords, Personal Identification Numbers, and card security codes in the personal data definition. CC ID 04699 | Privacy protection for information and data | Preventive | |
| Store payment card data in secure chips, if possible. CC ID 13065 | Privacy protection for information and data | Preventive | |
| Refrain from storing data elements containing sensitive authentication data after authorization is approved. CC ID 04758 | Privacy protection for information and data | Preventive | |
Data and Information Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Define the scope of the security policy. CC ID 07145 [The measures for setting up, implementing, maintaining and continuously improving the ISMS are documented. The documentation includes: Scope of the ISMS (Section 4.3 of ISO/IEC 27001); OIS-01 ¶ 2 Bullet 1 {security requirements} The policies and instructions describe at least the following aspects: Scope; SP-01 ¶ 3 Bullet 2] | Leadership and high level objectives | Preventive | |
| Include the system components that generate audit records in the event logging procedures. CC ID 16426 | Monitoring and measurement | Preventive | |
| Overwrite the oldest records when audit logging fails. CC ID 14308 | Monitoring and measurement | Preventive | |
| Delete personal data upon data subject's withdrawal from testing. CC ID 17238 | Monitoring and measurement | Preventive | |
| Establish and maintain contact information for user accounts, as necessary. CC ID 15418 | Technical security | Preventive | |
| Include the date and time that access was reviewed in the system record. CC ID 16416 | Technical security | Preventive | |
| Disseminate and communicate user identifiers and authenticators using secure communication protocols. CC ID 06791 [The allocation of authentication information to access system components used to provide the cloud service to internal and external users of the cloud provider and system components that are involved in automated authorisation processes of the cloud provider is done in an orderly manner that ensures the confidentiality of the information. If passwords are used as authentication information, their confidentiality is ensured by the following procedures, as far as technically possible: IDM-08 ¶ 1] | Technical security | Preventive | |
| Include virtual systems in the network diagram. CC ID 16324 | Technical security | Preventive | |
| Segregate applications and databases that contain restricted data or restricted information in an internal network zone. CC ID 01289 [Resources in the storage network are segmented by secure zoning (LUN binding and LUN masking). OPS-24 ¶ 2] | Technical security | Preventive | |
| Protect data stored at external locations. CC ID 16333 | Technical security | Preventive | |
| Perform content sanitization on data-in-transit. CC ID 16512 | Technical security | Preventive | |
| Perform content conversion on data-in-transit. CC ID 16510 | Technical security | Preventive | |
| Protect data from unauthorized access while transmitting between separate parts of the system. CC ID 16499 | Technical security | Preventive | |
| Establish, implement, and maintain allowlists and denylists of web content. CC ID 15234 | Technical security | Preventive | |
| Establish, implement, and maintain digital signatures. CC ID 13828 | Technical security | Preventive | |
| Include the expiration date in digital signatures. CC ID 13833 | Technical security | Preventive | |
| Include audience restrictions in digital signatures. CC ID 13834 | Technical security | Preventive | |
| Include the subject in digital signatures. CC ID 13832 | Technical security | Preventive | |
| Include the issuer in digital signatures. CC ID 13831 | Technical security | Preventive | |
| Include identifiers in the digital signature. CC ID 13829 | Technical security | Preventive | |
| Digitally sign records and data, as necessary. CC ID 16507 | Technical security | Preventive | |
| Decrypt restricted data for the minimum time required. CC ID 12308 | Technical security | Preventive | |
| Decrypt personal data only on dedicated networks, not on public networks. CC ID 12309 | Technical security | Preventive | |
| Protect salt values and hash values in accordance with organizational standards. CC ID 16471 | Technical security | Preventive | |
| Generate strong cryptographic keys. CC ID 01299 [Policies and instructions with technical and organisational safeguards for encryption procedures and key management are documented, communicated and provided according to SP-01, in which the following aspects are described: Requirements for the secure generation, storage, archiving, retrieval, distribution, withdrawal and deletion of the keys; and CRY-01 ¶ 1 Bullet 3] | Technical security | Preventive | |
| Disseminate and communicate cryptographic keys securely. CC ID 01300 [Policies and instructions with technical and organisational safeguards for encryption procedures and key management are documented, communicated and provided according to SP-01, in which the following aspects are described: Requirements for the secure generation, storage, archiving, retrieval, distribution, withdrawal and deletion of the keys; and CRY-01 ¶ 1 Bullet 3 Procedures and technical safeguards for secure key management in the area of responsibility of the Cloud Service Provider include at least the following aspects: Provisioning and activation of the keys; CRY-04 ¶ 1 Bullet 3] | Technical security | Preventive | |
| Store cryptographic keys securely. CC ID 01298 [Policies and instructions with technical and organisational safeguards for encryption procedures and key management are documented, communicated and provided according to SP-01, in which the following aspects are described: Requirements for the secure generation, storage, archiving, retrieval, distribution, withdrawal and deletion of the keys; and CRY-01 ¶ 1 Bullet 3 Procedures and technical safeguards for secure key management in the area of responsibility of the Cloud Service Provider include at least the following aspects: Secure storage of keys (separation of key management system from application and middleware level) including description of how authorised users get access; CRY-04 ¶ 1 Bullet 4] | Technical security | Preventive | |
| Restrict access to cryptographic keys. CC ID 01297 [Policies and instructions with technical and organisational safeguards for encryption procedures and key management are documented, communicated and provided according to SP-01, in which the following aspects are described: Requirements for the secure generation, storage, archiving, retrieval, distribution, withdrawal and deletion of the keys; and CRY-01 ¶ 1 Bullet 3 The private keys used for encryption are known to the customer exclusively and without exception in accordance with applicable legal and regulatory obligations and requirements. CRY-03 ¶ 2 The Cloud Service Provider has established procedures and technical safeguards to encrypt cloud customers' data during storage. The private keys used for encryption are known only to the cloud customer in accordance with applicable legal and regulatory obligations and requirements. Exceptions follow a specified procedure. The procedures for the use of private keys, including any exceptions, must be contractually agreed with the cloud customer. CRY-03 ¶ 1] | Technical security | Preventive | |
| Destroy cryptographic keys promptly after the retention period. CC ID 01303 [Policies and instructions with technical and organisational safeguards for encryption procedures and key management are documented, communicated and provided according to SP-01, in which the following aspects are described: Requirements for the secure generation, storage, archiving, retrieval, distribution, withdrawal and deletion of the keys; and CRY-01 ¶ 1 Bullet 3] | Technical security | Preventive | |
| Revoke old cryptographic keys or invalid cryptographic keys immediately. CC ID 01307 [Policies and instructions with technical and organisational safeguards for encryption procedures and key management are documented, communicated and provided according to SP-01, in which the following aspects are described: Requirements for the secure generation, storage, archiving, retrieval, distribution, withdrawal and deletion of the keys; and CRY-01 ¶ 1 Bullet 3] | Technical security | Corrective | |
| Archive outdated cryptographic keys. CC ID 06884 [Policies and instructions with technical and organisational safeguards for encryption procedures and key management are documented, communicated and provided according to SP-01, in which the following aspects are described: Requirements for the secure generation, storage, archiving, retrieval, distribution, withdrawal and deletion of the keys; and CRY-01 ¶ 1 Bullet 3] | Technical security | Preventive | |
| Encrypt information stored on devices in publicly accessible areas. CC ID 16410 | Physical and environmental protection | Preventive | |
| Wipe information from mobile devices after a predetermined number of unsuccessful logon attempts. CC ID 14242 | Physical and environmental protection | Preventive | |
| Transport backup media in lockable electronic media storage containers. CC ID 01264 [{physical security measure} {be the same} The Cloud Service Provider transfers data to be backed up to a remote location or transports these on backup media to a remote location. If the data backup is transmitted to the remote location via a network, the data backup or the transmission of the data takes place in an encrypted form that corresponds to the state-of-the-art. The distance to the main site is chosen after sufficient consideration of the factors recovery times and impact of disasters on both sites. The physical and environmental security measures at the remote site are at the same level as at the main site. OPS-09 ¶ 1] | Operational and Systems Continuity | Preventive | |
| Identify the access methods for backup media at both the primary facility and the off-site electronic media storage facility. CC ID 01257 [Policies and instructions for data backup and recovery are documented, communicated and provided in accordance with SP-01 regarding the following aspects. Access to the backed-up data and the execution of restores is performed only by authorised persons; and OPS-06 ¶ 1 Bullet 3] | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain security controls to protect offsite data. CC ID 16259 | Operational and Systems Continuity | Preventive | |
| Perform full backups in accordance with organizational standards. CC ID 16376 | Operational and Systems Continuity | Preventive | |
| Perform incremental backups in accordance with organizational standards. CC ID 16375 | Operational and Systems Continuity | Preventive | |
| Use virtual machine snapshots for full backups and changed block tracking (CBT) for incremental backups. CC ID 16374 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain a Global Address List. CC ID 16934 | Operational management | Preventive | |
| Identify the sender in all electronic messages. CC ID 13996 | Operational management | Preventive | |
| Record a unique name for each asset in the asset inventory. CC ID 16305 | Operational management | Preventive | |
| Record the status of information systems in the asset inventory. CC ID 16304 | Operational management | Preventive | |
| Record the communication interfaces for applicable assets in the asset inventory. CC ID 16301 | Operational management | Preventive | |
| Record dependencies and interconnections between applicable assets in the asset inventory. CC ID 17196 | Operational management | Preventive | |
| Record the vendor support end date for applicable assets in the asset inventory. CC ID 17194 | Operational management | Preventive | |
| Record rooms at external locations in the asset inventory. CC ID 16302 | Operational management | Preventive | |
| Record trusted keys and certificates in the asset inventory. CC ID 15486 | Operational management | Preventive | |
| Record cipher suites and protocols in the asset inventory. CC ID 15489 | Operational management | Preventive | |
| Wipe all data on systems prior to when the system is redeployed or the system is disposed. CC ID 06401 [{acceptable use policy} Policies and instructions for acceptable use and safe handling of assets are documented, communicated and provided in accordance with SP-01 and address the following aspects of the asset lifecycle as applicable to the asset: Complete and irrevocable deletion of the data upon decommissioning. AM-02 ¶ 1 Bullet 12] | Operational management | Preventive | |
| Share incident information with interested personnel and affected parties. CC ID 01212 [The Cloud Service Provider periodically informs the cloud customer on the status of incidents affecting the cloud customer, or, where appropriate and necessary, involve the customer in the resolution, in a manner consistent with the contractual agreements. OPS-21 ¶ 1 Identified events are automatically reported to the appropriate departments for prompt evaluation and action. OPS-13 ¶ 2 Information on security incidents or confirmed security breaches is made available to all affected customers. SIM-03 ¶ 3 Ensure a consistent and comprehensive approach to the capture, assessment, communication and escalation of security incidents. Section 5.13 Objective] | Operational management | Corrective | |
| Comply with privacy regulations and civil liberties requirements when sharing data loss event information. CC ID 10036 [{be transparent} {not reveal} An incident is typically significant when it affects multiple cloud customers and the Cloud Service Provider informs the affected parties or the public. The information about the incidents and the protection measures put in place should be as transparent as possible, without revealing vulnerability or potential points of attack. Furthermore, the reporting must not jeopardise the confidentiality of information concerning individual cloud customers and should therefore not contain a detailed description of individual incidents. Section 3.4.4.1 ¶ 4] | Operational management | Preventive | |
| Redact restricted data before sharing incident information. CC ID 16994 | Operational management | Preventive | |
| Include a description of the restored data that was restored manually in the restoration log. CC ID 15463 | Operational management | Preventive | |
| Include a description of the restored data in the restoration log. CC ID 15462 | Operational management | Preventive | |
| Approve tested change requests. CC ID 11783 [Authorised personnel or system components of the Cloud Service Provider approve changes to the cloud service based on defined criteria (e.g. test results and required approvals) before these are made available to the cloud customers in the production environment. DEV-09 ¶ 1 Policies and instructions with technical and organisational safeguards for change management of system components of the cloud service within the scope of software deployment are documented, communicated and provided according to SP-01 with regard to the following aspects: Criteria for risk assessment, categorisation and prioritisation of changes and related requirements for the type and scope of testing to be performed, and necessary approvals for the development/implementation of the change and releases for deployment in the production environment by authorised personnel or system components; DEV-03 ¶ 1 Bullet 1] | Operational management | Preventive | |
| Store records and data in accordance with organizational standards. CC ID 16439 | Records management | Preventive | |
| Store personal data that is retained for long periods after use on a separate server or media. CC ID 12314 | Records management | Preventive | |
| Require authorized individuals be present to witness records disposition. CC ID 12313 | Records management | Preventive | |
| Establish, implement, and maintain a personal data transparency program. CC ID 00375 | Privacy protection for information and data | Preventive | |
| Provide the data subject with the means of gaining access to personal data held by the organization. CC ID 00396 [The cloud customer is informed by the Cloud Service Provider whenever internal or external employees of the Cloud Service Provider read or write to the cloud customer's data processed, stored or transmitted in the cloud service or have accessed it without the prior consent of the cloud customer. The Information is provided whenever data of the cloud customer is/was not encrypted, the encryption is/was disabled for access or the contractual agreements do not explicitly exclude such information. The information contains the cause, time, duration, type and scope of the access. The information is sufficiently detailed to enable subject matter experts of the cloud customer to assess the risks of the access. The information is provided in accordance with the contractual agreements, or within 72 hours after the access. IDM-07 ¶ 1] | Privacy protection for information and data | Preventive | |
| Dispose of media and restricted data in a timely manner. CC ID 00125 [Policies and instructions for the secure handling of metadata (usage data) are documented, communicated and provided according to SP-01 with regard to the following aspects: Immediate deletion if the purposes of the collection are fulfilled and further storage is no longer necessary; and OPS-11 ¶ 1 Bullet 5] | Privacy protection for information and data | Preventive | |
| Provide individuals with information about disclosure of their personal data. CC ID 00417 [In the system description, the Cloud Service Provider provides comprehensible and transparent information on how investigation enquiries by government agencies for access to or disclosure of cloud customer data are handled. The information includes the following aspects: BC-05 ¶ 1] | Privacy protection for information and data | Preventive | |
| Allow guardians and legal representatives access to personal data about the individual for whom they are guardians or legal representatives. CC ID 00418 | Privacy protection for information and data | Preventive | |
| Process personal data after the data subject has granted explicit consent. CC ID 00180 [Access to the data processed, stored or transmitted in the cloud service by internal or external employees of the Cloud Service Provider requires the prior consent of an authorised department of the cloud customer, provided that the cloud customer's data is not encrypted, encryption is disabled for access, or contractual agreements do not explicitly exclude such consent. For the consent, the cloud customer's department is provided with meaningful information about the cause, time, duration, type and scope of the access supporting assessing the risks associated with the access. IDM-07 ¶ 2] | Privacy protection for information and data | Preventive | |
| Limit the redisclosure and reuse of restricted data. CC ID 00168 [The Cloud Service Provider's procedures establishing access to or disclosing data of cloud customers in the context of investigation requests from governmental agencies ensure that the agencies only gain access to or insight into the data that is the subject of the investigation request. INQ-04 ¶ 1] | Privacy protection for information and data | Preventive | |
| Refrain from redisclosing or reusing restricted data. CC ID 00169 | Privacy protection for information and data | Preventive | |
| Redisclose restricted data when the data subject consents. CC ID 00171 | Privacy protection for information and data | Preventive | |
| Redisclose restricted data when it is for criminal law enforcement. CC ID 00172 | Privacy protection for information and data | Preventive | |
| Redisclose restricted data in order to protect public revenue. CC ID 00173 | Privacy protection for information and data | Preventive | |
| Redisclose restricted data in order to assist a Telecommunications Ombudsman. CC ID 00174 | Privacy protection for information and data | Preventive | |
| Redisclose restricted data in order to prevent a life-threatening emergency. CC ID 00175 | Privacy protection for information and data | Preventive | |
| Redisclose restricted data when it deals with installing, maintaining, operating, or providing access to a Public Telecommunications Network or a telecommunication facility. CC ID 00176 | Privacy protection for information and data | Preventive | |
| Redisclose restricted data in order to preserve human life at sea. CC ID 00177 | Privacy protection for information and data | Preventive | |
| Identify any adverse effects the disclosure of personal data will have on the data subject. CC ID 15298 | Privacy protection for information and data | Preventive | |
| Review personal data disclosure requests. CC ID 07129 | Privacy protection for information and data | Preventive | |
| Include frivolous requests or vexatious requests as a reason for denial in the personal data request denial procedures. CC ID 00435 | Privacy protection for information and data | Preventive | |
| Include when the required information is unavailable as a reason for denial in the personal data request denial procedures. CC ID 00436 | Privacy protection for information and data | Preventive | |
| Include when the disclosure of personal data constitutes contempt of court or contempt of House of Representatives as a reason for denial in the personal data request denial procedures. CC ID 00437 | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would identify suppliers or breaches an express promise of privacy or implied promise of privacy as a reason for denial in the personal data request denial procedures. CC ID 00438 | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would compromise National Security as a reason for denial in the personal data request denial procedures. CC ID 00439 | Privacy protection for information and data | Preventive | |
| Include information that is protected by attorney-client privilege as a reason for denial in the personal data request denial procedures. CC ID 00440 | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would reveal trade secrets, commercial information, or harmful financial information as a reason for denial in the personal data request denial procedures. CC ID 00441 | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would threaten an individual's life or an individual's security as a reason for denial in the personal data request denial procedures. CC ID 00442 | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would have an unreasonable impact on another individual's privacy as a reason for denial in the personal data request denial procedures. CC ID 00443 | Privacy protection for information and data | Preventive | |
| Include responding to access requests after the time limit as a reason for denial in the personal data request denial procedures. CC ID 13600 | Privacy protection for information and data | Preventive | |
| Include information that was generated from a formal dispute as a reason for denial in the personal data request denial procedures. CC ID 00444 | Privacy protection for information and data | Preventive | |
| Include personal data that is used solely for scientific research, scholarly research, statistical research, library purposes, museum purposes, or archival purposes as a reason for denial in the personal data request denial procedures. CC ID 00445 | Privacy protection for information and data | Preventive | |
| Include personal data that is for the state's economic interest as a reason for denial in the personal data request denial procedures. CC ID 00446 | Privacy protection for information and data | Detective | |
| Include personal data that is for protecting the civil rights or other's freedoms as a reason for denial in the personal data request denial procedures. CC ID 00447 | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that constitutes a state secret as a reason for denial in the personal data request denial procedures. CC ID 00448 | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would result in interference with the operation of public functions as a reason for denial in the personal data request denial procedures. CC ID 00449 | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would interrupt criminal investigation and surveillance or other legal purposes as a reason for denial in the personal data request denial procedures. CC ID 00450 | Privacy protection for information and data | Preventive | |
| Include when a country's laws prevent disclosure as a reason for denial in the personal data request denial procedures. CC ID 00451 | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would interfere with grievance proceeding or employee security investigations as a reason for denial in the personal data request denial procedures. CC ID 06873 | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would interfere with commercial acquisitions or reorganizations as a reason for denial in the personal data request denial procedures. CC ID 06874 | Privacy protection for information and data | Preventive | |
| Include if the cost or burden of disclosing the personal data is disproportionate as a reason for denial in the personal data request denial procedures. CC ID 06875 | Privacy protection for information and data | Preventive | |
| Notify interested personnel and affected parties of the reasons the data access request was refused. CC ID 00453 | Privacy protection for information and data | Preventive | |
| Notify individuals of their right to challenge a refusal to a data access request. CC ID 00454 | Privacy protection for information and data | Preventive | |
| Disseminate and communicate personal data to the individual that it relates to. CC ID 00428 [The cloud customer is informed by the Cloud Service Provider whenever internal or external employees of the Cloud Service Provider read or write to the cloud customer's data processed, stored or transmitted in the cloud service or have accessed it without the prior consent of the cloud customer. The Information is provided whenever data of the cloud customer is/was not encrypted, the encryption is/was disabled for access or the contractual agreements do not explicitly exclude such information. The information contains the cause, time, duration, type and scope of the access. The information is sufficiently detailed to enable subject matter experts of the cloud customer to assess the risks of the access. The information is provided in accordance with the contractual agreements, or within 72 hours after the access. IDM-07 ¶ 1] | Privacy protection for information and data | Preventive | |
| Provide personal data to an individual after the individual's identity has been confirmed. CC ID 06876 | Privacy protection for information and data | Preventive | |
| Provide data or records in a reasonable time frame. CC ID 00429 | Privacy protection for information and data | Preventive | |
| Extend the time limit for providing personal data in order to convert it to an alternative format. CC ID 13591 | Privacy protection for information and data | Preventive | |
| Extend the time limit for providing personal data if the time is impracticable to respond to the access request. CC ID 13590 | Privacy protection for information and data | Preventive | |
| Extend the time limit for providing data if it would unreasonably interfere with the organization's activities. CC ID 13589 | Privacy protection for information and data | Preventive | |
| Provide data at a cost that is not excessive. CC ID 00430 | Privacy protection for information and data | Preventive | |
| Provide records or data in a reasonable manner. CC ID 00431 | Privacy protection for information and data | Preventive | |
| Provide personal data in a form that is intelligible. CC ID 00432 | Privacy protection for information and data | Preventive | |
| Provide restricted data that would threaten the life or security of another individual after that information has been redacted. CC ID 13604 | Privacy protection for information and data | Preventive | |
| Provide restricted data that would reveal confidential commercial information after that information has been redacted. CC ID 13602 | Privacy protection for information and data | Preventive | |
| Remove data pertaining to third parties before giving the requestor access to the information. CC ID 13601 | Privacy protection for information and data | Preventive | |
| Prohibit personal data from being sent by e-mail or instant messaging. CC ID 00565 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain record structures to support information confidentiality. CC ID 00360 [{be appropriate} Ensure appropriate handling of government investigation requests for legal review, information to cloud customers, and limitation of access to or disclosure of data. Section 5.16 Objective If the Cloud Service offers functions for software-defined networking (SDN), the confidentiality of the data of the cloud user is ensured by suitable SDN procedures. PSS-10 ¶ 1] | Privacy protection for information and data | Preventive | |
| Automate the disposition process for records that contain "do not store" data or "delete after transaction process" data. CC ID 06083 | Privacy protection for information and data | Preventive | |
| Limit data leakage. CC ID 00356 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain suspicious personal data procedures. CC ID 04853 | Privacy protection for information and data | Detective | |
| Compare certain personal data such as name, date of birth, address, driver's license, or other identification against personal data on file for the applicant. CC ID 04855 | Privacy protection for information and data | Detective | |
| Match consumer reports with current accounts on file to ensure account misuse or information misuse has not occurred. CC ID 04873 | Privacy protection for information and data | Detective | |
| Send change notices for change of address requests to the old address and the new address. CC ID 04877 | Privacy protection for information and data | Detective | |
| Include text about data ownership in the data handling policy. CC ID 15720 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain de-identifying and re-identifying procedures. CC ID 07126 [{not be possible} If no clear limitation of the data is possible, the Cloud Service Provider anonymises or pseudonymises the data so that government agencies can only assign it to those cloud customers who are subject of the investigation request. INQ-04 ¶ 2] | Privacy protection for information and data | Preventive | |
| Use de-identifying code and re-identifying code that is not derived from or related to information about the data subject. CC ID 07127 | Privacy protection for information and data | Preventive | |
| Store de-identifying code and re-identifying code separately. CC ID 16535 | Privacy protection for information and data | Preventive | |
| Prevent the disclosure of de-identifying code and re-identifying code. CC ID 07128 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's name combined with account numbers or other identifying information as personal data that falls under the breach notification rules. CC ID 04662 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's legal surname prior to marriage as personal data that falls under the breach notification rules. CC ID 04669 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's date of birth as personal data that falls under the breach notification rules. CC ID 04771 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's address as personal data that falls under the breach notification rules. CC ID 04671 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's telephone number as personal data that falls under the breach notification rules. CC ID 04672 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's fingerprints as personal data that falls under the breach notification rules. CC ID 04670 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's Social Security Number or Personal Identification Number as personal data that falls under the breach notification rules. CC ID 04656 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's driver's license number or an individual's state identification card number as personal data that falls under the breach notification rules. CC ID 04657 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's passport number as personal data that falls under the breach notification rules. CC ID 04774 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's Alien Registration Number as personal data that falls under the breach notification rules. CC ID 04775 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's Taxpayer Identification Number as personal data that falls under the breach notification rules. CC ID 04764 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's financial account number as personal data that falls under the breach notification rules. CC ID 04658 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's financial account number with associated password or password hint as personal data that falls under the breach notification rules. CC ID 04660 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's electronic identification name or number as personal data that falls under the breach notification rules. CC ID 04663 | Privacy protection for information and data | Preventive | |
| Include data elements that contain electronic signatures as personal data that falls under the breach notification rules. CC ID 04666 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's biometric data as personal data that falls under the breach notification rules. CC ID 04667 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's account number, password, or password hint as personal data that falls under the breach notification rules. CC ID 04668 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's payment card information as personal data that falls under the breach notification rules. CC ID 04752 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's credit card number or an individual's debit card number as personal data that falls under the breach notification rules. CC ID 04659 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's payment card service code as personal data that falls under the breach notification rules. CC ID 04754 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's payment card expiration date as personal data that falls under the breach notification rules. CC ID 04756 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's payment card full magnetic stripe data as personal data that falls under the breach notification rules. CC ID 04759 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's payment card security codes (Card Authentication Value 2/Card Validation Code Value 2/Card Verification Value 2/Card Identification Number) as personal data that falls under the breach notification rules. CC ID 04760 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's payment card associated password or password hint as personal data that falls under the breach notification rules. CC ID 04661 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's Individually Identifiable Health Information as personal data that falls under the breach notification rules. CC ID 04673 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's medical history as personal data that falls under the breach notification rules. CC ID 04674 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's medical treatment as personal data that falls under the breach notification rules. CC ID 04675 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's medical diagnosis as personal data that falls under the breach notification rules. CC ID 04676 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's mental condition or physical condition as personal data that falls under the breach notification rules. CC ID 04682 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's health insurance information as personal data that falls under the breach notification rules. CC ID 04681 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's health insurance policy number as personal data that falls under the breach notification rules. CC ID 04683 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's health insurance application and health insurance claims history (including appeals) as personal data that falls under the breach notification rules. CC ID 04684 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's employment information as personal data that falls under the breach notification rules. CC ID 04772 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's Employee Identification Number as personal data that falls under the breach notification rules. CC ID 04773 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's place of employment as personal data that falls under the breach notification rules. CC ID 04788 | Privacy protection for information and data | Preventive | |
| Develop remedies and sanctions for privacy policy violations. CC ID 00474 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a Customer Information Management program. CC ID 00084 | Privacy protection for information and data | Preventive | |
| Check the accuracy of restricted data. CC ID 00088 | Privacy protection for information and data | Preventive | |
| Check the data accuracy of new accounts. CC ID 04859 | Privacy protection for information and data | Preventive | |
| Compare the information on the customer's identification card or badge with the information used to open an account. CC ID 04862 | Privacy protection for information and data | Preventive | |
| Refrain from using applications that appear altered, reassembled, or forged. CC ID 04863 | Privacy protection for information and data | Preventive | |
| Correlate the applicant's social security number with their date of birth. CC ID 04864 | Privacy protection for information and data | Preventive | |
| Compare the applicant's social security number against existing accounts or different applications. CC ID 04867 | Privacy protection for information and data | Preventive | |
| Compare the applicant's personal data against known fraudulent activities. CC ID 04865 | Privacy protection for information and data | Preventive | |
| Compare the applicant's address against known suspicious addresses. CC ID 04866 | Privacy protection for information and data | Preventive | |
| Compare the applicant's telephone number or address against records on file for potential matches. CC ID 04868 | Privacy protection for information and data | Preventive | |
| Provide additional personal data when the application is incomplete. CC ID 04869 | Privacy protection for information and data | Preventive | |
| Check the consistency of the applicant's personal data against personal data already on file. CC ID 04870 | Privacy protection for information and data | Detective | |
| Compare new account information with fraudulent account activity notifications or identity theft notifications. CC ID 04872 | Privacy protection for information and data | Detective | |
| Include the organization's name in the Third Party Service Provider list. CC ID 17287 [The Cloud Service Provider maintains a directory for controlling and monitoring the service providers and suppliers who contribute services to the delivery of the cloud service. The following information is maintained in the directory: Company name; SSO-03 ¶ 1 Bullet 1] | Third Party and supply chain oversight | Preventive | |
Establish Roles | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Assign the approval of compliance exceptions to the appropriate roles inside the organization. CC ID 06443 [Exceptions to the policies and instructions for information security as well as respective controls go through the OIS-06 risk management process, including approval of these exceptions and acceptance of the associated risks by the risk owners. The approvals of exceptions are documented, limited in time and are reviewed for appropriateness at least annually by the risk owners. SP-03 ¶ 1] | Leadership and high level objectives | Preventive | |
| Define the strategic Information Assurance roles and responsibilities. CC ID 00608 | Leadership and high level objectives | Preventive | |
| Establish and maintain a compliance oversight committee. CC ID 00765 | Leadership and high level objectives | Detective | |
| Involve the Board of Directors or senior management in Information Governance. CC ID 00609 [The top management of the Cloud Service Provider is regularly informed about the information security performance within the scope of the ISMS in order to ensure its continued suitability, adequacy and effectiveness. The information is included in the management review of the ISMS at is performed at least once a year. COM-04 ¶ 1] | Leadership and high level objectives | Preventive | |
| Define and assign log management roles and responsibilities. CC ID 06311 [The Cloud Service Provider has established policies and instructions that govern the logging and monitoring of events on system components within its area of responsibility. These policies and instructions are documented, communicated and provided according to SP-01 with respect to the following aspects: Define roles and responsibilities for setting up and monitoring logging; OPS-10 ¶ 1 Bullet 4] | Monitoring and measurement | Preventive | |
| Assign penetration testing to a qualified internal resource or external third party. CC ID 06429 [The tests are carried out every six months. They must always be performed by independent external auditors. Internal personnel for penetration tests may support the external service providers. OPS-19 ¶ 4 The tests are carried out every six months. They must always be performed by independent external auditors. Internal personnel for penetration tests may support the external service providers. OPS-19 ¶ 4] | Monitoring and measurement | Preventive | |
| Assign ownership of the vulnerability management program to the appropriate role. CC ID 15723 | Monitoring and measurement | Preventive | |
| Define the roles and responsibilities for personnel assigned to tasks in the Audit function. CC ID 00678 [The report on an attestation engagement includes the following elements: Auditor's responsibility Section 3.4.8 ¶ 2 1 (d)] | Audits and risk management | Preventive | |
| Define and assign cryptographic, encryption and key management roles and responsibilities. CC ID 15470 | Technical security | Preventive | |
| Establish a Registration Authority to support the Public Key Infrastructure. CC ID 15725 | Technical security | Preventive | |
| Define and assign roles and responsibilities for malicious code protection. CC ID 15474 | Technical security | Preventive | |
| Employ security guards to provide physical security, as necessary. CC ID 06653 [{video surveillance camera} {burglar alarm} The security measures installed at the site include permanently present security personnel (at least 2 individuals), video surveillance and anti-burglary systems. PS-03 ¶ 5] | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain continuity roles and responsibilities. CC ID 00733 [The top management (or a member of the top management) of the Cloud Service Provider is named as the process owner of business continuity and emergency management and is responsible for establishing the process within the company as well as ensuring compliance with the guidelines. They must ensure that sufficient resources are made available for an effective process. BCM-01 ¶ 1 Exit strategies are aligned with operational continuity plans and include the following aspects: Definition and allocation of roles, responsibilities and sufficient resources to perform the activities for a transition; SSO-05 ¶ 2 Bullet 2 {take into account} Business continuity plans and contingency plans take the following aspects into account: Ownership by at least one designated person responsible for review, updating and approval; BCM-03 ¶ 2 Bullet 3] | Operational and Systems Continuity | Preventive | |
| Include the roles and responsibilities of the organization's legal counsel in the continuity plan. CC ID 16233 | Operational and Systems Continuity | Preventive | |
| Include restoration procedures in the continuity plan. CC ID 01169 [Policies and instructions to determine the impact of any malfunction to the cloud service or enterprise are documented, communicated and made available in accordance with SP-01. The following aspects are considered as minimum: Identification of restoration priorities; BCM-02 ¶ 1 Bullet 7] | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806 | Human Resources management | Preventive | |
| Define and assign the Board of Directors roles and responsibilities and senior management roles and responsibilities, including signing off on key policies and procedures. CC ID 00807 | Human Resources management | Preventive | |
| Assign cybersecurity reporting responsibilities to qualified personnel. CC ID 12739 | Human Resources management | Preventive | |
| Assign personnel screening procedures to qualified personnel. CC ID 11699 | Human Resources management | Preventive | |
| Classify assets according to the Asset Classification Policy. CC ID 07186 [Assets are classified and, if possible, labelled. Classification and labelling of an asset reflect the protection needs of the information it processes, stores, or transmits. AM-06 ¶ 1] | Operational management | Preventive | |
| Apply asset protection mechanisms for all assets according to their assigned Asset Classification Policy. CC ID 07184 [Identify the organisation's own assets and ensure an appropriate level of protection throughout their lifecycle. Section 5.4 Objective] | Operational management | Preventive | |
| Require data controllers to be accountable for their actions. CC ID 00470 | Privacy protection for information and data | Preventive | |
| Process restricted data lawfully and carefully. CC ID 00086 | Privacy protection for information and data | Preventive | |
Establish/Maintain Documentation | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain communication protocols. CC ID 12245 [Communication takes place through standardised communication protocols that ensure the confidentiality and integrity of the transmitted information according to its protection requirements. Communication over untrusted networks is encrypted according to CRY-02. PI-01 ¶ 2] | Leadership and high level objectives | Preventive | |
| Document the findings from surveys. CC ID 16309 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain alert procedures. CC ID 12406 [The environmental parameters are monitored. When the permitted control range is exceeded, alarm messages are generated and forwarded to the Cloud Service Provider's subject matter experts. PS-05 ¶ 2] | Leadership and high level objectives | Preventive | |
| Include the criteria for notifications in the notification system. CC ID 17139 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain data governance and management practices. CC ID 14998 | Leadership and high level objectives | Preventive | |
| Include data monitoring in the data governance and management practices. CC ID 15303 [The execution of data backups is monitored by technical and organisational measures. Malfunctions are investigated by qualified staff and rectified promptly to ensure compliance with contractual obligations to cloud customers or the Cloud Service Provider's business requirements regarding the scope and frequency of data backup and the duration of storage. OPS-07 ¶ 1] | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain sustainable infrastructure planning. CC ID 00603 [The security requirements for data centres are based on criteria which comply with established rules of technology. They are suitable for addressing the following risks in accordance with the applicable legal and contractual requirements: Faults in planning; PS-01 ¶ 2 Bullet 1] | Leadership and high level objectives | Preventive | |
| Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 [The Cloud Service Provider operates an information security management system (ISMS) in accordance with ISO/IEC 27001. The scope of the ISMS covers the Cloud Service Provider's organisational units, locations and procedures for providing the cloud service. OIS-01 ¶ 1] | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a policy and procedure management program. CC ID 06285 [Protection of power supply and telecommunications lines against interruption, interference, damage and eavesdropping. The protection is checked regularly, but at least every two years, as well as in case of suspected manipulation by qualified personnel regarding the following aspects: Up-to-datedness of the documentation in the distribution list; PS-06 ¶ 1(d) Bullet 2] | Leadership and high level objectives | Preventive | |
| Include contact information in the organization's policies, standards, and procedures. CC ID 17167 | Leadership and high level objectives | Preventive | |
| Analyze organizational policies, as necessary. CC ID 14037 | Leadership and high level objectives | Detective | |
| Establish and maintain an Authority Document list. CC ID 07113 | Leadership and high level objectives | Preventive | |
| Document organizational procedures that harmonize external requirements, including all legal requirements. CC ID 00623 [{provision} {data} The design of the aspects is based on legal and regulatory requirements in the environment of the Cloud Service Provider. The Cloud Service Provider identifies the requirements regularly, at least once a year, and checks these for actuality and adjusts the contractual agreements accordingly. PI-02 ¶ 3 {provision} {data} The design of the aspects is based on legal and regulatory requirements in the environment of the Cloud Service Provider. The Cloud Service Provider identifies the requirements regularly, at least once a year, and checks these for actuality and adjusts the contractual agreements accordingly. PI-02 ¶ 3 {applicable requirements} The legal, regulatory, self-imposed and contractual requirements relevant to the information security of the cloud service as well as the Cloud Service Provider's procedures for complying with these requirements are explicitly defined and documented. COM-01 ¶ 1] | Leadership and high level objectives | Preventive | |
| Publish, disseminate, and communicate a Statement on Internal Control, as necessary. CC ID 06727 [The measures for setting up, implementing, maintaining and continuously improving the ISMS are documented. The documentation includes: Declaration of applicability (Section 6.1.3), and OIS-01 ¶ 2 Bullet 2] | Leadership and high level objectives | Preventive | |
| Include signatures of c-level executives in the Statement on Internal Control. CC ID 14778 | Leadership and high level objectives | Preventive | |
| Include management's assertions on the effectiveness of internal control in the Statement on Internal Control. CC ID 14771 [For an attestation engagement, the Cloud Service Provider's service-related system of internal control to meet the C5 criteria shall include the following minimum content in order to provide customers with sufficient transparency about the information security of the cloud service: Information on the general conditions of the cloud service in accordance with the criteria in Section 5 this criteria catalogue, which enable potential customers of the Cloud Service Provider to assess its suitability for their use case; Section 3.4.4.1 ¶ 1 Bullet 3] | Leadership and high level objectives | Corrective | |
| Include roles and responsibilities in the Statement on Internal Control. CC ID 14774 | Leadership and high level objectives | Preventive | |
| Include limitations of internal control systems in the Statement on Internal Control. CC ID 14773 | Leadership and high level objectives | Preventive | |
| Include a description of the methodology used to evaluate internal controls in the Statement on Internal Control. CC ID 14772 | Leadership and high level objectives | Preventive | |
| Approve all compliance documents. CC ID 06286 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a compliance exception standard. CC ID 01628 | Leadership and high level objectives | Preventive | |
| Include the authority for granting exemptions in the compliance exception standard. CC ID 14329 | Leadership and high level objectives | Preventive | |
| Include all compliance exceptions in the compliance exception standard. CC ID 01630 [The Cloud Service Provider has established procedures and technical safeguards to encrypt cloud customers' data during storage. The private keys used for encryption are known only to the cloud customer in accordance with applicable legal and regulatory obligations and requirements. Exceptions follow a specified procedure. The procedures for the use of private keys, including any exceptions, must be contractually agreed with the cloud customer. CRY-03 ¶ 1] | Leadership and high level objectives | Detective | |
| Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document. CC ID 01631 [Exceptions to the policies and instructions for information security as well as respective controls go through the OIS-06 risk management process, including approval of these exceptions and acceptance of the associated risks by the risk owners. The approvals of exceptions are documented, limited in time and are reviewed for appropriateness at least annually by the risk owners. SP-03 ¶ 1 Exceptions to the policies and instructions for information security as well as respective controls go through the OIS-06 risk management process, including approval of these exceptions and acceptance of the associated risks by the risk owners. The approvals of exceptions are documented, limited in time and are reviewed for appropriateness at least annually by the risk owners. SP-03 ¶ 1] | Leadership and high level objectives | Preventive | |
| Include when exemptions expire in the compliance exception standard. CC ID 14330 | Leadership and high level objectives | Preventive | |
| Include management of the exemption register in the compliance exception standard. CC ID 14328 [Exceptions to the policies and instructions for information security as well as respective controls go through the OIS-06 risk management process, including approval of these exceptions and acceptance of the associated risks by the risk owners. The approvals of exceptions are documented, limited in time and are reviewed for appropriateness at least annually by the risk owners. SP-03 ¶ 1] | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain an oversight plan. CC ID 17302 | Leadership and high level objectives | Preventive | |
| Include roles and responsibilities in the public oversight system. CC ID 17285 | Leadership and high level objectives | Preventive | |
| Include recommendations for changes or updates to the information security program in the Board Report. CC ID 13180 [{information security policy} The review shall consider at least the following aspects: Organisational and technical changes in the procedures for providing the cloud service; and SP-02 ¶ 2 Bullet 1] | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a strategic plan. CC ID 12784 [Provide policies and instructions regarding security requirements and to support business requirements. Section 5.2 Objective] | Leadership and high level objectives | Preventive | |
| Include the outsource partners in the strategic plan, as necessary. CC ID 13960 | Leadership and high level objectives | Preventive | |
| Align the cybersecurity program strategy with the organization's strategic plan. CC ID 14322 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a planning policy. CC ID 14673 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain planning procedures. CC ID 14698 | Leadership and high level objectives | Preventive | |
| Include compliance requirements in the planning policy. CC ID 14688 | Leadership and high level objectives | Preventive | |
| Include coordination amongst entities in the planning policy. CC ID 14687 | Leadership and high level objectives | Preventive | |
| Include management commitment in the planning policy. CC ID 14686 | Leadership and high level objectives | Preventive | |
| Include roles and responsibilities in the planning policy. CC ID 14685 | Leadership and high level objectives | Preventive | |
| Include the scope in the planning policy. CC ID 14684 | Leadership and high level objectives | Preventive | |
| Include the purpose in the planning policy. CC ID 14683 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a security planning policy. CC ID 14027 | Leadership and high level objectives | Preventive | |
| Include compliance requirements in the security planning policy. CC ID 14131 | Leadership and high level objectives | Preventive | |
| Include coordination amongst entities in the security planning policy. CC ID 14130 | Leadership and high level objectives | Preventive | |
| Include management commitment in the security planning policy. CC ID 14129 | Leadership and high level objectives | Preventive | |
| Include roles and responsibilities in the security planning policy. CC ID 14128 | Leadership and high level objectives | Preventive | |
| Include the scope in the security planning policy. CC ID 14127 | Leadership and high level objectives | Preventive | |
| Include the purpose in the security planning policy. CC ID 14126 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain security planning procedures. CC ID 14060 | Leadership and high level objectives | Preventive | |
| Include an economic impact analysis in the decision management strategy. CC ID 14015 | Leadership and high level objectives | Preventive | |
| Include cost benefit analysis in the decision management strategy. CC ID 14014 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a tactical plan. CC ID 12785 | Leadership and high level objectives | Preventive | |
| Include the references to the organization's Information Technology systems in the Strategic Information Technology Plan, as necessary. CC ID 13959 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain Information Technology project plans. CC ID 16944 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain Security Control System monitoring and reporting procedures. CC ID 12506 [The Cloud Service Provider creates regular reports on the checks performed, which are reviewed and analysed by authorised bodies or committees. Policies and instructions describe the technical measures taken to securely configure and monitor the management console (both the customer's self-service and the service provider's cloud administration) to protect it from malware. Updates are applied at the highest frequency that the vendor(s) contractually offer(s). OPS-04 ¶ 2] | Monitoring and measurement | Preventive | |
| Include detecting and reporting the failure of a security testing tool in the Security Control System monitoring and reporting procedures. CC ID 15488 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain Responding to Failures in Security Controls procedures. CC ID 12514 | Monitoring and measurement | Preventive | |
| Include resuming security system monitoring and logging operations in the Responding to Failures in Security Controls procedure. CC ID 12521 [The system components for logging and monitoring are designed in such a way that the overall functionality is not restricted if individual components fail. OPS-17 ¶ 2] | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain an audit and accountability policy. CC ID 14035 | Monitoring and measurement | Preventive | |
| Include compliance requirements in the audit and accountability policy. CC ID 14103 | Monitoring and measurement | Preventive | |
| Include coordination amongst entities in the audit and accountability policy. CC ID 14102 | Monitoring and measurement | Preventive | |
| Include the purpose in the audit and accountability policy. CC ID 14100 | Monitoring and measurement | Preventive | |
| Include roles and responsibilities in the audit and accountability policy. CC ID 14098 | Monitoring and measurement | Preventive | |
| Include management commitment in the audit and accountability policy. CC ID 14097 | Monitoring and measurement | Preventive | |
| Include the scope in the audit and accountability policy. CC ID 14096 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain audit and accountability procedures. CC ID 14057 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain an intrusion detection and prevention program. CC ID 15211 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain an intrusion detection and prevention policy. CC ID 15169 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain an event logging policy. CC ID 15217 [The Cloud Service Provider has established policies and instructions that govern the logging and monitoring of events on system components within its area of responsibility. These policies and instructions are documented, communicated and provided according to SP-01 with respect to the following aspects: OPS-10 ¶ 1] | Monitoring and measurement | Preventive | |
| Provide predefined suspicious activity reports for suspicious activity discovered in the event log. CC ID 06774 [Activities of users with privileged access rights are logged in order to detect any misuse of privileged access in suspicious cases. The logged information is automatically monitored for defined events that may indicate misuse. When such an event is identified, the responsible personnel are automatically informed so that they can promptly assess whether misuse has occurred and take corresponding action. In the event of proven misuse of privileged access rights, disciplinary measures are taken in accordance with HR-04. IDM-06 ¶ 3] | Monitoring and measurement | Corrective | |
| Include identity information of suspects in the suspicious activity report. CC ID 16648 | Monitoring and measurement | Preventive | |
| Review and update the list of auditable events in the event logging procedures. CC ID 10097 [{security-related information} The information is detailed enough to allow cloud users to check the following aspects, insofar as they are applicable to the cloud service: Which data, services or functions available to the cloud user within the cloud service, have been accessed by whom and when (Audit Logs); PSS-04 ¶ 2 Bullet 1] | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a continuous monitoring program for configuration management. CC ID 06757 [{malware} The configuration of the protection mechanisms is monitored automatically. Deviations from the specifications are automatically reported to the subject matter experts so that the deviations are immediately assessed and the necessary measures taken. OPS-05 ¶ 2 System components in the Cloud Service Provider's area of responsibility are automatically monitored for compliance with hardening specifications. Deviations from the specifications are automatically reported to the appropriate departments of the Cloud Service Provider for immediate assessment and action. OPS-23 ¶ 3 The procedures for monitoring compliance with the requirements are supplemented by automatic procedures relating to the following aspects: Configuration of system components; SSO-04 ¶ 5 Bullet 1 {security-related information} The information is detailed enough to allow cloud users to check the following aspects, insofar as they are applicable to the cloud service: Changes to security-relevant configuration parameters, error handling and logging mechanisms, user authentication, action authorisation, cryptography, and communication security. PSS-04 ¶ 2 Bullet 3] | Monitoring and measurement | Detective | |
| Create specific test plans to test each system component. CC ID 00661 [Policies and instructions with technical and organisational safeguards for change management of system components of the cloud service within the scope of software deployment are documented, communicated and provided according to SP-01 with regard to the following aspects: Requirements for the performance and documentation of tests; DEV-03 ¶ 1 Bullet 2 Policies and instructions with technical and organisational safeguards for change management of system components of the cloud service within the scope of software deployment are documented, communicated and provided according to SP-01 with regard to the following aspects: Criteria for risk assessment, categorisation and prioritisation of changes and related requirements for the type and scope of testing to be performed, and necessary approvals for the development/implementation of the change and releases for deployment in the production environment by authorised personnel or system components; DEV-03 ¶ 1 Bullet 1] | Monitoring and measurement | Preventive | |
| Include the roles and responsibilities in the test plan. CC ID 14299 | Monitoring and measurement | Preventive | |
| Include the assessment team in the test plan. CC ID 14297 | Monitoring and measurement | Preventive | |
| Include the scope in the test plans. CC ID 14293 | Monitoring and measurement | Preventive | |
| Include the assessment environment in the test plan. CC ID 14271 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a security assessment and authorization policy. CC ID 14031 | Monitoring and measurement | Preventive | |
| Include coordination amongst entities in the security assessment and authorization policy. CC ID 14222 | Monitoring and measurement | Preventive | |
| Include the scope in the security assessment and authorization policy. CC ID 14220 | Monitoring and measurement | Preventive | |
| Include the purpose in the security assessment and authorization policy. CC ID 14219 | Monitoring and measurement | Preventive | |
| Include management commitment in the security assessment and authorization policy. CC ID 14189 | Monitoring and measurement | Preventive | |
| Include compliance requirements in the security assessment and authorization policy. CC ID 14183 | Monitoring and measurement | Preventive | |
| Include roles and responsibilities in the security assessment and authorization policy. CC ID 14179 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain security assessment and authorization procedures. CC ID 14056 | Monitoring and measurement | Preventive | |
| Document improvement actions based on test results and exercises. CC ID 16840 | Monitoring and measurement | Preventive | |
| Define the test requirements for each testing program. CC ID 13177 | Monitoring and measurement | Preventive | |
| Include mechanisms for emergency stops in the testing program. CC ID 14398 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain conformity assessment procedures. CC ID 15032 | Monitoring and measurement | Preventive | |
| Create technical documentation assessment certificates in an official language. CC ID 15110 | Monitoring and measurement | Preventive | |
| Define the test frequency for each testing program. CC ID 13176 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a stress test program for identification cards or badges. CC ID 15424 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a business line testing strategy. CC ID 13245 | Monitoring and measurement | Preventive | |
| Include facilities in the business line testing strategy. CC ID 13253 | Monitoring and measurement | Preventive | |
| Include electrical systems in the business line testing strategy. CC ID 13251 [Protection of power supply and telecommunications lines against interruption, interference, damage and eavesdropping. The protection is checked regularly, but at least every two years, as well as in case of suspected manipulation by qualified personnel regarding the following aspects: Conformity of the actual wiring and patching with the documentation; PS-06 ¶ 1(d) Bullet 3 {not be needed} {grounding} Protection of power supply and telecommunications lines against interruption, interference, damage and eavesdropping. The protection is checked regularly, but at least every two years, as well as in case of suspected manipulation by qualified personnel regarding the following aspects: The short-circuits and earthing of unneeded cables are intact; and PS-06 ¶ 1(d) Bullet 4 {unauthorized installation} {unauthorized modification} Protection of power supply and telecommunications lines against interruption, interference, damage and eavesdropping. The protection is checked regularly, but at least every two years, as well as in case of suspected manipulation by qualified personnel regarding the following aspects: Impermissible installations and modifications. PS-06 ¶ 1(d) Bullet 5] | Monitoring and measurement | Preventive | |
| Include mechanical systems in the business line testing strategy. CC ID 13250 | Monitoring and measurement | Preventive | |
| Include Heating Ventilation and Air Conditioning systems in the business line testing strategy. CC ID 13248 | Monitoring and measurement | Preventive | |
| Include emergency power supplies in the business line testing strategy. CC ID 13247 | Monitoring and measurement | Preventive | |
| Include environmental controls in the business line testing strategy. CC ID 13246 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a vulnerability management program. CC ID 15721 [{acceptable use policy} Policies and instructions for acceptable use and safe handling of assets are documented, communicated and provided in accordance with SP-01 and address the following aspects of the asset lifecycle as applicable to the asset: dealing with incidents and vulnerabilities; and AM-02 ¶ 1 Bullet 11 The Cloud Service Provider regularly measures, analyses and assesses the procedures with which vulnerabilities and incidents are handled to verify their continued suitability, appropriateness and effectiveness. OPS-20 ¶ 1] | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a vulnerability assessment program. CC ID 11636 [Guidelines and instructions with technical and organisational measures are documented, communicated and provided in accordance with SP-01 to ensure the timely identification and addressing of vulnerabilities in the system components used to provide the cloud service. These guidelines and instructions contain specifications regarding the following aspects: Assessment of the severity of identified vulnerabilities; OPS-18 ¶ 1 Bullet 2] | Monitoring and measurement | Preventive | |
| Record the vulnerability scanning activity in the vulnerability scan report. CC ID 12097 | Monitoring and measurement | Preventive | |
| Include the pass or fail test status in the test results. CC ID 17106 | Monitoring and measurement | Preventive | |
| Include time information in the test results. CC ID 17105 | Monitoring and measurement | Preventive | |
| Include a description of the system tested in the test results. CC ID 17104 | Monitoring and measurement | Preventive | |
| Recommend mitigation techniques based on penetration test results. CC ID 04881 [{criticality level} For findings with medium or high criticality regarding the confidentiality, integrity or availability of the cloud service, actions must be taken within defined time windows for prompt remediation or mitigation. OPS-19 ¶ 3 The Cloud Service Provider assess the severity of the findings made in penetration tests according to defined criteria. OPS-19 ¶ 2] | Monitoring and measurement | Corrective | |
| Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a metrics policy. CC ID 01654 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653 | Monitoring and measurement | Preventive | |
| Identify and document instances of non-compliance with the compliance framework. CC ID 06499 [In the event of violations of policies and instructions or applicable legal and regulatory requirements, actions are taken in accordance with a defined policy that includes the following aspects: Verifying whether a violation has occurred; and HR-04 ¶ 1 Bullet 1] | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain disciplinary action notices. CC ID 16577 [The use of disciplinary measures is appropriately documented. HR-04 ¶ 3] | Monitoring and measurement | Preventive | |
| Include a copy of the order in the disciplinary action notice. CC ID 16606 | Monitoring and measurement | Preventive | |
| Include the sanctions imposed in the disciplinary action notice. CC ID 16599 | Monitoring and measurement | Preventive | |
| Include the effective date of the sanctions in the disciplinary action notice. CC ID 16589 | Monitoring and measurement | Preventive | |
| Include the requirements that were violated in the disciplinary action notice. CC ID 16588 | Monitoring and measurement | Preventive | |
| Include responses to charges from interested personnel and affected parties in the disciplinary action notice. CC ID 16587 | Monitoring and measurement | Preventive | |
| Include the reasons for imposing sanctions in the disciplinary action notice. CC ID 16586 | Monitoring and measurement | Preventive | |
| Include required information in the disciplinary action notice. CC ID 16584 | Monitoring and measurement | Preventive | |
| Include a justification for actions taken in the disciplinary action notice. CC ID 16583 | Monitoring and measurement | Preventive | |
| Include a statement on the conclusions of the investigation in the disciplinary action notice. CC ID 16582 | Monitoring and measurement | Preventive | |
| Include the investigation results in the disciplinary action notice. CC ID 16581 | Monitoring and measurement | Preventive | |
| Include a description of the causes of the actions taken in the disciplinary action notice. CC ID 16580 | Monitoring and measurement | Preventive | |
| Include the name of the person responsible for the charges in the disciplinary action notice. CC ID 16579 | Monitoring and measurement | Preventive | |
| Include contact information in the disciplinary action notice. CC ID 16578 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a log management program. CC ID 00673 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a Statement of Compliance. CC ID 12499 [Proof of conformity is always to be provided using the audit standard ISAE 3000 (Revised). Section 3.4.1 ¶ 1] | Audits and risk management | Preventive | |
| Include the personal data use purpose specification in the Statement of Compliance. CC ID 17175 | Audits and risk management | Preventive | |
| Include roles and responsibilities in external auditor outsourcing contracts. CC ID 16523 | Audits and risk management | Preventive | |
| Establish, implement, and maintain an audit program. CC ID 00684 [In this context, Cloud Service Providers and auditors shall have sufficient time to make the necessary adjustments to the systems and processes and to the execution of the audit associated with the updating of this criteria catalogue. Section 3.5 ¶ 2] | Audits and risk management | Preventive | |
| Establish, implement, and maintain audit policies. CC ID 13166 | Audits and risk management | Preventive | |
| Include resource requirements in the audit program. CC ID 15237 | Audits and risk management | Preventive | |
| Include risks and opportunities in the audit program. CC ID 15236 | Audits and risk management | Preventive | |
| Establish and maintain audit terms. CC ID 13880 [{independent audit report} The report on an attestation engagement includes the following elements: General terms of the engagement Section 3.4.8 ¶ 2 1 (h) Since in the case of a direct engagement, the audit is not based on a system description provided by the Cloud Service Provider, the auditor must document details of the general conditions in accordance with the information provided by the Cloud Service Provider. Section 4 ¶ 2] | Audits and risk management | Preventive | |
| Include a statement about the inherent limitations of the audit in the audit terms. CC ID 13883 | Audits and risk management | Preventive | |
| Include a statement that the audit will be conducted in accordance with attestation standards in the audit terms. CC ID 13882 | Audits and risk management | Preventive | |
| Establish, implement, and maintain agreed upon procedures that are in scope for the audit. CC ID 13893 [In this context, Cloud Service Providers and auditors shall have sufficient time to make the necessary adjustments to the systems and processes and to the execution of the audit associated with the updating of this criteria catalogue. Section 3.5 ¶ 2 Policies and instructions for planning and conducting audits are documented, communicated and made available in accordance with SP-01 and address the following aspects: COM-02 ¶ 1] | Audits and risk management | Preventive | |
| Establish, implement, and maintain an in scope system description. CC ID 14873 [According to the BSI, Cloud Service Providers who already have a system description can reuse it in audits according to this criteria catalogue. However, an existing system description that meets the requirements of another standard must be adapted to this criteria catalogue, as necessary. Section 3.4.3.1 ¶ 3 In the system description and the contractual agreements (e.g. service description), the Cloud Service Provider clearly provides comprehensible and transparent information on: Its jurisdiction; and BC-01 ¶ 1 Bullet 1 In the system description, the Cloud Service Provider provides comprehensible and transparent information on existing and valid certifications or attestations by independent third parties relating to the following aspects of the cloud service: the suitability and effectiveness of the internal control system in relation to the applicable criteria; and BC-06 ¶ 1 Bullet 3] | Audits and risk management | Preventive | |
| Include facility locations in the audit assertion's in scope system description. CC ID 17261 [{audit criteria} For an attestation engagement, the Cloud Service Provider's service-related system of internal control to meet the C5 criteria shall include the following minimum content in order to provide customers with sufficient transparency about the information security of the cloud service: Functions and services with respect to the applicable C5 criteria provided by subservice organisations, including the type and scope of such functions and services, the location of processing and storage of data, the complexity and uniqueness of the functions and services as well as the resulting dependency of the Cloud Service Provider, (if carve-out method is applied) complementary controls assumed in the design of the Cloud Service Provider's controls, and the availability of audit reports according to the criteria in this criteria catalogue. Section 3.4.4.1 ¶ 1 Bullet 8 {audit criteria} For an attestation engagement, the Cloud Service Provider's service-related system of internal control to meet the C5 criteria shall include the following minimum content in order to provide customers with sufficient transparency about the information security of the cloud service: Functions and services with respect to the applicable C5 criteria provided by subservice organisations, including the type and scope of such functions and services, the location of processing and storage of data, the complexity and uniqueness of the functions and services as well as the resulting dependency of the Cloud Service Provider, (if carve-out method is applied) complementary controls assumed in the design of the Cloud Service Provider's controls, and the availability of audit reports according to the criteria in this criteria catalogue. Section 3.4.4.1 ¶ 1 Bullet 8 In the system description and the contractual agreements (e.g. service description), the Cloud Service Provider clearly provides comprehensible and transparent information on: System component locations, including its subcontractors, where the cloud customer's data is processed, stored and backed up. BC-01 ¶ 1 Bullet 2] | Audits and risk management | Preventive | |
| Include third party services in the audit assertion's in scope system description. CC ID 16503 [{audit criteria} For an attestation engagement, the Cloud Service Provider's service-related system of internal control to meet the C5 criteria shall include the following minimum content in order to provide customers with sufficient transparency about the information security of the cloud service: Functions and services with respect to the applicable C5 criteria provided by subservice organisations, including the type and scope of such functions and services, the location of processing and storage of data, the complexity and uniqueness of the functions and services as well as the resulting dependency of the Cloud Service Provider, (if carve-out method is applied) complementary controls assumed in the design of the Cloud Service Provider's controls, and the availability of audit reports according to the criteria in this criteria catalogue. Section 3.4.4.1 ¶ 1 Bullet 8 {audit criteria} For an attestation engagement, the Cloud Service Provider's service-related system of internal control to meet the C5 criteria shall include the following minimum content in order to provide customers with sufficient transparency about the information security of the cloud service: Functions and services with respect to the applicable C5 criteria provided by subservice organisations, including the type and scope of such functions and services, the location of processing and storage of data, the complexity and uniqueness of the functions and services as well as the resulting dependency of the Cloud Service Provider, (if carve-out method is applied) complementary controls assumed in the design of the Cloud Service Provider's controls, and the availability of audit reports according to the criteria in this criteria catalogue. Section 3.4.4.1 ¶ 1 Bullet 8 {audit criteria} For an attestation engagement, the Cloud Service Provider's service-related system of internal control to meet the C5 criteria shall include the following minimum content in order to provide customers with sufficient transparency about the information security of the cloud service: Functions and services with respect to the applicable C5 criteria provided by subservice organisations, including the type and scope of such functions and services, the location of processing and storage of data, the complexity and uniqueness of the functions and services as well as the resulting dependency of the Cloud Service Provider, (if carve-out method is applied) complementary controls assumed in the design of the Cloud Service Provider's controls, and the availability of audit reports according to the criteria in this criteria catalogue. Section 3.4.4.1 ¶ 1 Bullet 8 If necessary, the Cloud Service Provider will outsource parts of its business processes for the provision of the cloud service to other service providers (use of subservice organisations). The Cloud Service Provider describes this in its description and the auditor takes this into consideration as specified in the audit standards ISAE 3402. The standard distinguishes for an attestation engagement between the "inclusive method" and the "carve-out method": Section 3.4.5 ¶ 1] | Audits and risk management | Preventive | |
| Include monitoring controls in the audit assertion's in scope system description. CC ID 16501 | Audits and risk management | Preventive | |
| Include availability commitments in the audit assertion's in scope system description. CC ID 14914 [{audit criteria} For an attestation engagement, the Cloud Service Provider's service-related system of internal control to meet the C5 criteria shall include the following minimum content in order to provide customers with sufficient transparency about the information security of the cloud service: Functions and services with respect to the applicable C5 criteria provided by subservice organisations, including the type and scope of such functions and services, the location of processing and storage of data, the complexity and uniqueness of the functions and services as well as the resulting dependency of the Cloud Service Provider, (if carve-out method is applied) complementary controls assumed in the design of the Cloud Service Provider's controls, and the availability of audit reports according to the criteria in this criteria catalogue. Section 3.4.4.1 ¶ 1 Bullet 8 When auditing operating effectiveness (type 2 reporting), the following minimum contents shall be added to the system description: Details on significant events and conditions that are exceptions to normal operation, that have occurred throughout the specified period and have resulted in: contractual agreements regarding the availability of the Cloud Service not being fulfilled, or Section 3.4.4.1 ¶ 2 Bullet 2 Sub-bullet 1] | Audits and risk management | Preventive | |
| Include changes in the audit assertion's in scope system description. CC ID 14894 [When auditing operating effectiveness (type 2 reporting), the following minimum contents shall be added to the system description: Details on significant changes to the policies, procedures and measures, including the controls, to govern the provisioning (development and operation) of the Cloud Services with respect to the applicable C5 Criteria, that have been implemented during the period under review; Section 3.4.4.1 ¶ 2 Bullet 1 If the Cloud Service Provider can provide evidence of additional controls not previously stated in the description, but in place for non-covered elements of the C5 criteria, the Cloud Service Provider shall include these controls in the description or adjust the existing control descriptions and present these changes in an appropriate form. Section 3.4.6 ¶ 2 In the course of a specified period, it may happen that the assessment of the effectiveness of the policies, procedures and measures applied by the Cloud Service Provider relates both to the status before and after the implementation of such adjustments. The system description should include the adjustments made (cf. Section 3.4.4.1). In the case of a direct engagement, the auditor must obtain and disclose this information. Section 3.5 ¶ 4 In the course of a specified period, it may happen that the assessment of the effectiveness of the policies, procedures and measures applied by the Cloud Service Provider relates both to the status before and after the implementation of such adjustments. The system description should include the adjustments made (cf. Section 3.4.4.1). In the case of a direct engagement, the auditor must obtain and disclose this information. Section 3.5 ¶ 4] | Audits and risk management | Preventive | |
| Include external communications in the audit assertion's in scope system description. CC ID 14913 | Audits and risk management | Preventive | |
| Include a section regarding incidents related to the system in the audit assertion’s in scope system description. CC ID 14878 [When auditing operating effectiveness (type 2 reporting), the following minimum contents shall be added to the system description: Details on significant events and conditions that are exceptions to normal operation, that have occurred throughout the specified period and have resulted in: Section 3.4.4.1 ¶ 2 Bullet 2 When auditing operating effectiveness (type 2 reporting), the following minimum contents shall be added to the system description: Details on significant events and conditions that are exceptions to normal operation, that have occurred throughout the specified period and have resulted in: unauthorised third parties having gained access to the data of cloud customers stored in the cloud service, or Section 3.4.4.1 ¶ 2 Bullet 2 Sub-bullet 2 When auditing operating effectiveness (type 2 reporting), the following minimum contents shall be added to the system description: Details on significant events and conditions that are exceptions to normal operation, that have occurred throughout the specified period and have resulted in: the integrity of the data stored in the cloud service was compromised and the protective measures put in place (e.g. data backup) were not effective, Section 3.4.4.1 ¶ 2 Bullet 2 Sub-bullet 3] | Audits and risk management | Preventive | |
| Include the function performed by the in scope system in the audit assertion's in scope system description. CC ID 14911 | Audits and risk management | Preventive | |
| Include the disposition of the incident in the audit assertion's in scope system description. CC ID 14896 | Audits and risk management | Preventive | |
| Include the extent of the incident in the audit assertion's in scope system description. CC ID 14895 | Audits and risk management | Preventive | |
| Include the timing of each incident in the audit assertion's in scope system description. CC ID 14891 | Audits and risk management | Preventive | |
| Include the nature of each incident in the audit assertion's in scope system description. CC ID 14889 | Audits and risk management | Preventive | |
| Include a section regarding in scope controls related to the system in the audit assertion's in scope system description. CC ID 14897 [When auditing operating effectiveness (type 2 reporting), the following minimum contents shall be added to the system description: Details on significant events and conditions that are exceptions to normal operation, that have occurred throughout the specified period and have resulted in: the integrity of the data stored in the cloud service was compromised and the protective measures put in place (e.g. data backup) were not effective, Section 3.4.4.1 ¶ 2 Bullet 2 Sub-bullet 3 When auditing operating effectiveness (type 2 reporting), the following minimum contents shall be added to the system description: Details on significant events and conditions that are exceptions to normal operation, that have occurred throughout the specified period and have resulted in: as well as the measures initiated by the Cloud Service Provider to prevent such events and conditions in the future. Section 3.4.4.1 ¶ 3 If the Cloud Service Provider can provide evidence of additional controls not previously stated in the description, but in place for non-covered elements of the C5 criteria, the Cloud Service Provider shall include these controls in the description or adjust the existing control descriptions and present these changes in an appropriate form. Section 3.4.6 ¶ 2 The report on an attestation engagement includes the following elements: Description of the Cloud Service Provider's service-related system of internal control to meet the C5 criteria. Section 3.4.8 ¶ 2 3.] | Audits and risk management | Preventive | |
| Include how the in scope system meets external requirements in the audit assertion's in scope system description. CC ID 16502 | Audits and risk management | Preventive | |
| Include the timing of each control in the audit assertion's in scope system description. CC ID 14916 | Audits and risk management | Preventive | |
| Include the nature of the control in the audit assertion's in scope system description. CC ID 14910 | Audits and risk management | Preventive | |
| Include the information sources used in performing the control in the audit assertion's in scope system description. CC ID 14909 | Audits and risk management | Preventive | |
| Include the responsible party for performing the control in the audit assertion's in scope system description. CC ID 14907 | Audits and risk management | Preventive | |
| Include the subject matter to which the control is applied in the audit assertion's in scope system description. CC ID 14904 | Audits and risk management | Preventive | |
| Refrain from omitting or distorting information in the audit assertion's in scope system description. CC ID 14893 [{in scope system description} {refrain from distorting} The description shall not omit or distort any information relevant to the fulfilment of the applicable C5 criteria. This does not mean that all aspects of the service-related internal control system that can be considered important from the point of view of individual customers of the Cloud Service Provider should be presented. It should be noted that the description is intended to achieve an appropriate level of transparency for a broad range of customers and that some of the processes can be customised. Section 3.4.4.1 ¶ 5] | Audits and risk management | Preventive | |
| Include the timing of each change in the audit assertion's in scope system description. CC ID 14892 | Audits and risk management | Preventive | |
| Include the system boundaries in the audit assertion's in scope system description. CC ID 14887 | Audits and risk management | Preventive | |
| Determine the presentation method of the audit assertion's in scope system description. CC ID 14885 | Audits and risk management | Detective | |
| Include the time frame covered by the description in the audit assertion's in scope system description. CC ID 14884 [To the extent applicable for the certification or attestation, the following information are provided: date or period of validity or coverage. BC-06 ¶ 2 Bullet 3] | Audits and risk management | Preventive | |
| Include commitments to third parties in the audit assertion. CC ID 14899 | Audits and risk management | Preventive | |
| Determine the completeness of the audit assertion's in scope system description. CC ID 14883 | Audits and risk management | Preventive | |
| Include system requirements in the audit assertion's in scope system description. CC ID 14881 | Audits and risk management | Preventive | |
| Include third party controls in the audit assertion's in scope system description. CC ID 14880 [{audit criteria} For an attestation engagement, the Cloud Service Provider's service-related system of internal control to meet the C5 criteria shall include the following minimum content in order to provide customers with sufficient transparency about the information security of the cloud service: Functions and services with respect to the applicable C5 criteria provided by subservice organisations, including the type and scope of such functions and services, the location of processing and storage of data, the complexity and uniqueness of the functions and services as well as the resulting dependency of the Cloud Service Provider, (if carve-out method is applied) complementary controls assumed in the design of the Cloud Service Provider's controls, and the availability of audit reports according to the criteria in this criteria catalogue. Section 3.4.4.1 ¶ 1 Bullet 8] | Audits and risk management | Preventive | |
| Include agreement to the audit scope and audit terms in the audit program. CC ID 06965 | Audits and risk management | Preventive | |
| Establish and maintain a bespoke audit scope for each audit being performed. CC ID 13077 | Audits and risk management | Preventive | |
| Include audit subject matter in the audit program. CC ID 07103 | Audits and risk management | Preventive | |
| Examine the relevance of the audit criteria in the audit program. CC ID 07107 [{audit criteria} The Cloud Service Provider must explain in the description of the system if individual basic or additional criteria are not applicable due to the nature and design of the cloud service or the principles, procedures and measures of the Cloud Service Provider. Based on the information provided by the Cloud Service Provider, the auditor must assess to what extent the C5 criteria are not applicable, and if applicable whether they are fully applicable or partially fulfilled. The Cloud Service Provider must explain in the description of the system if individual basic or additional criteria are not applicable due to the nature and design of the cloud service or the principles, procedures and measures of the Cloud Service Provider. Based on the information provided by the Cloud Service Provider, the auditor must assess to what extent the C5 criteria are not applicable, and if applicable whether they are fully or partially fulfilled. Section 3.4.2.1 ¶ 2 {audit criteria} The Cloud Service Provider must explain in the description of the system if individual basic or additional criteria are not applicable due to the nature and design of the cloud service or the principles, procedures and measures of the Cloud Service Provider. Based on the information provided by the Cloud Service Provider, the auditor must assess to what extent the C5 criteria are not applicable, and if applicable whether they are fully applicable or partially fulfilled. The Cloud Service Provider must explain in the description of the system if individual basic or additional criteria are not applicable due to the nature and design of the cloud service or the principles, procedures and measures of the Cloud Service Provider. Based on the information provided by the Cloud Service Provider, the auditor must assess to what extent the C5 criteria are not applicable, and if applicable whether they are fully or partially fulfilled. Section 3.4.2.1 ¶ 2] | Audits and risk management | Preventive | |
| Disseminate and communicate the audit program with the audit subject matter and audit criteria to all interested personnel and affected parties. CC ID 07116 [Policies and instructions for planning and conducting audits are documented, communicated and made available in accordance with SP-01 and address the following aspects: COM-02 ¶ 1] | Audits and risk management | Preventive | |
| Include in scope information in the audit program. CC ID 16198 | Audits and risk management | Preventive | |
| Include a statement that management has evaluated compliance with external requirements in the representation letter. CC ID 13942 | Audits and risk management | Preventive | |
| Include a statement that the assumptions used for estimates are reasonable in the representation letter. CC ID 13934 | Audits and risk management | Preventive | |
| Include a statement that uncorrected misstatements are believed to be immaterial in the representation letter. CC ID 13884 | Audits and risk management | Preventive | |
| Include a statement that system incidents have been disclosed to the auditor in the representation letter. CC ID 16772 | Audits and risk management | Preventive | |
| Include a statement that incidents of fraud and non-compliance have been disclosed to the auditor in the representation letter. CC ID 16769 | Audits and risk management | Preventive | |
| Include a statement that deficiencies in internal controls have been disclosed to the auditor in the representation letter. CC ID 13899 | Audits and risk management | Preventive | |
| Establish and maintain audit assertions, as necessary. CC ID 14871 | Audits and risk management | Detective | |
| Include an in scope system description in the audit assertion. CC ID 14872 | Audits and risk management | Preventive | |
| Include any assumptions that are improbable in the audit assertion. CC ID 13950 | Audits and risk management | Preventive | |
| Include investigations and legal proceedings in the audit assertion. CC ID 16846 | Audits and risk management | Preventive | |
| Include why specific criteria are ignored by in scope controls in the audit assertion. CC ID 07027 [{audit criteria} The Cloud Service Provider must explain in the description of the system if individual basic or additional criteria are not applicable due to the nature and design of the cloud service or the principles, procedures and measures of the Cloud Service Provider. Based on the information provided by the Cloud Service Provider, the auditor must assess to what extent the C5 criteria are not applicable, and if applicable whether they are fully applicable or partially fulfilled. The Cloud Service Provider must explain in the description of the system if individual basic or additional criteria are not applicable due to the nature and design of the cloud service or the principles, procedures and measures of the Cloud Service Provider. Based on the information provided by the Cloud Service Provider, the auditor must assess to what extent the C5 criteria are not applicable, and if applicable whether they are fully or partially fulfilled. Section 3.4.2.1 ¶ 2] | Audits and risk management | Preventive | |
| Include the responsible party's opinion of the quality of the evidence in the audit assertion. CC ID 13949 | Audits and risk management | Preventive | |
| Include any in scope uncorrected errors or non-compliance issues in the audit assertion. CC ID 06989 [If the specified period ends in a period which is up to three months before February 15, 2021, the Cloud Service Provider shall provide additional information in the system description regarding the necessary changes to its service-related internal control system which have not been completed. The details should include what measures are to be completed or effectively implemented. In the case of a direct engagement, the auditor shall obtain and disclose this information. Section 3.5 ¶ 5] | Audits and risk management | Preventive | |
| Include how access to in scope systems, personnel and in scope records are provided to the auditor in the audit terms. CC ID 06988 [Irrespective of the assessment as to whether a deviation leads to a qualified opinion, further information should be presented in the audit report. This information is intended to enable report recipients to assess whether the Cloud Service Provider is taking appropriate actions to handle errors and optimise its policies, procedures and actions. The following additional information from the Cloud Service Provider shall be included in the audit report: If the deviation was already stated in a report of a previous audit, an indication should be given of when and by what means the deviation was detected, together with a separate indication that the detection occurred in a previous audit period. This requires that the auditor has access to prior reports from the Cloud Service Provider. In case of doubt, the auditor shall have the inspection of these reports separately assured in his engagement letter. Section 3.4.7 ¶ 2 Bullet 2] | Audits and risk management | Preventive | |
| Establish, implement, and maintain procedures for determining the desired level of assurance in the audit program. CC ID 12794 [According to ISAE 3000 (Revised), the auditor must determine before accepting an engagement that the professional duties (for auditors in Germany § 43 WPO, German Law regulating the Profession of Wirtschaftsprüfer: Wirtschaftsprüferordnung), including the duty of independence, are complied with. Based on the auditor's knowledge of the subject matter, the auditor shall assess whether the members of the audit team entrusted with the engagement have the necessary competency and understanding of the industry as well as capabilities to perform the audit and whether sufficient experience with the relevant formal requirements is available or can be obtained. Section 3.4.9 ¶ 1] | Audits and risk management | Preventive | |
| Establish and maintain a practitioner’s report on management’s assertions, as necessary. CC ID 13888 | Audits and risk management | Preventive | |
| Refrain from changing the date of the practitioner's report on agreed-upon procedures when reissuing it. CC ID 13896 | Audits and risk management | Corrective | |
| Establish, implement, and maintain interview procedures. CC ID 16282 | Audits and risk management | Preventive | |
| Establish and maintain work papers, as necessary. CC ID 13891 | Audits and risk management | Preventive | |
| Include the auditor's conclusions on work performed by individuals assigned to the audit in the work papers. CC ID 16775 | Audits and risk management | Preventive | |
| Include audit irregularities in the work papers. CC ID 16774 | Audits and risk management | Preventive | |
| Include corrective actions in the work papers. CC ID 16771 | Audits and risk management | Preventive | |
| Include information about the organization being audited and the auditor performing the audit in the work papers. CC ID 16770 | Audits and risk management | Preventive | |
| Include discussions with interested personnel and affected parties in the work papers. CC ID 16768 | Audits and risk management | Preventive | |
| Include justification for departing from mandatory requirements in the work papers. CC ID 13935 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a practitioner’s report on agreed-upon procedures. CC ID 13894 | Audits and risk management | Preventive | |
| Establish and maintain a practitioner's examination report on pro forma financial information. CC ID 13968 | Audits and risk management | Preventive | |
| Include references to where financial information was derived in the practitioner's review report on pro forma financial information. CC ID 13982 | Audits and risk management | Preventive | |
| Include a statement that the financial statements used were audited by other practitioners in the practitioner's examination report on pro forma financial information, as necessary. CC ID 13981 | Audits and risk management | Preventive | |
| Establish and maintain organizational audit reports. CC ID 06731 [{independent audit report} The report on an attestation engagement includes the following elements: Independent auditor's report Section 3.4.8 ¶ 2 1.] | Audits and risk management | Preventive | |
| Determine what disclosures are required in the audit report. CC ID 14888 | Audits and risk management | Detective | |
| Include the purpose in the audit report. CC ID 17263 [{independent audit report} The report on an attestation engagement includes the following elements: Intended users and purpose Section 3.4.8 ¶ 2 1 (g)] | Audits and risk management | Preventive | |
| Include audit subject matter in the audit report. CC ID 14882 [In the case of a direct engagement, the auditor shall present the above-mentioned minimum content in all material aspects as part of the audit report so that the intended customers can obtain an appropriate understanding of the information security of the cloud service, including the principles, procedures and measures applied. This includes sufficient information on the general conditions of the cloud service (cf. Section 4). Section 3.4.4.1 ¶ 6] | Audits and risk management | Preventive | |
| Include an other-matter paragraph in the audit report. CC ID 14901 | Audits and risk management | Preventive | |
| Include that the auditee did not provide comments in the audit report. CC ID 16849 | Audits and risk management | Preventive | |
| Include written agreements in the audit report. CC ID 17266 [In this context, a reference to a liability agreement must be made in the audit report. Section 3.4.10 ¶ 3] | Audits and risk management | Preventive | |
| Write the audit report using clear and conspicuous language. CC ID 13948 | Audits and risk management | Preventive | |
| Include a statement that the sufficiency of the agreed upon procedures is the responsibility of the specified parties in the audit report. CC ID 13936 | Audits and risk management | Preventive | |
| Include a statement that the financial statements were audited in the audit report. CC ID 13963 | Audits and risk management | Preventive | |
| Include the criteria that financial information was measured against in the audit report. CC ID 13966 | Audits and risk management | Preventive | |
| Include a description of the financial information being reported on in the audit report. CC ID 13965 | Audits and risk management | Preventive | |
| Include references to any adjustments of financial information in the audit report. CC ID 13964 | Audits and risk management | Preventive | |
| Include in the audit report that audit opinions are not dependent on references to subject matter experts, as necessary. CC ID 13953 | Audits and risk management | Preventive | |
| Include references to historical financial information used in the audit report. CC ID 13961 | Audits and risk management | Preventive | |
| Include a statement about the inherent limitations of the audit in the audit report. CC ID 14900 [{independent audit report} The report on an attestation engagement includes the following elements: Inherent limitations Section 3.4.8 ¶ 2 1 (e)] | Audits and risk management | Preventive | |
| Include a description of the limitations on the usefulness of hypothetical assumptions in the audit report. CC ID 13958 | Audits and risk management | Preventive | |
| Structure the audit report to be in the form of procedures and findings. CC ID 13940 | Audits and risk management | Preventive | |
| Include any discussions of significant findings in the audit report. CC ID 13955 | Audits and risk management | Preventive | |
| Include the date and with whom discussions about significant findings took place in the audit report. CC ID 13962 | Audits and risk management | Preventive | |
| Include the audit criteria in the audit report. CC ID 13945 [{audit criteria} {be applicable} The applicable C5 criteria are to be presented in the audit report's section containing the C5 criteria, controls, test procedures and results. Section 3.4.2.1 ¶ 3 {audit criteria} The report on an attestation engagement includes the following elements: Presentation of the applicable C5 criteria, the associated controls (part of the description), test procedures performed and the individual test results of the auditor. Section 3.4.8 ¶ 2 4.] | Audits and risk management | Preventive | |
| Include a statement in the audit report that the agreed upon procedures were potentially insufficient in identifying material risks, as necessary. CC ID 13957 | Audits and risk management | Preventive | |
| Include all hypothetical assumptions in the audit report. CC ID 13947 | Audits and risk management | Preventive | |
| Include a statement that the agreed upon procedures involves collecting evidence in the audit report. CC ID 13956 | Audits and risk management | Preventive | |
| Include a statement that the agreed upon procedures were performed by all parties in the audit report. CC ID 13931 | Audits and risk management | Preventive | |
| Include references to subject matter experts in the audit report when citing qualified opinions. CC ID 13929 | Audits and risk management | Preventive | |
| Include a description of the assistance provided by Subject Matter Experts in the audit report. CC ID 13939 | Audits and risk management | Preventive | |
| Include a review of the subject matter expert's findings in the audit report. CC ID 13972 | Audits and risk management | Preventive | |
| Include all restrictions on the audit in the audit report. CC ID 13930 | Audits and risk management | Preventive | |
| Include a statement that the auditor has no responsibility to update the audit report after its submission. CC ID 13943 | Audits and risk management | Preventive | |
| Include a statement on the auditor's ethical requirements in the audit report. CC ID 16767 | Audits and risk management | Preventive | |
| Include a statement that the responsible party refused to provide a written assertion in the audit report. CC ID 13887 | Audits and risk management | Preventive | |
| Include a statement that the examination involves procedures for collecting evidence in the audit report. CC ID 13941 | Audits and risk management | Preventive | |
| Express an adverse opinion in the audit report when significant assumptions are not suitably supported. CC ID 13944 | Audits and risk management | Preventive | |
| Include a statement that modifications to historical evidence accurately reflect current evidence in the audit report. CC ID 13938 | Audits and risk management | Preventive | |
| Refrain from referencing other auditor's work in the audit report. CC ID 13881 | Audits and risk management | Preventive | |
| Include how in scope controls meet external requirements in the audit report. CC ID 16450 | Audits and risk management | Preventive | |
| Include the in scope records used to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14915 | Audits and risk management | Preventive | |
| Include recommended corrective actions in the audit report. CC ID 16197 [Irrespective of the assessment as to whether a deviation leads to a qualified opinion, further information should be presented in the audit report. This information is intended to enable report recipients to assess whether the Cloud Service Provider is taking appropriate actions to handle errors and optimise its policies, procedures and actions. The following additional information from the Cloud Service Provider shall be included in the audit report: The measures to be taken to remedy the deviation in the future and when these measures are likely to be completed or effectively implemented. Section 3.4.7 ¶ 2 Bullet 3] | Audits and risk management | Preventive | |
| Include risks and opportunities in the audit report. CC ID 16196 | Audits and risk management | Preventive | |
| Include the description of tests of controls and results in the audit report. CC ID 14898 [In the case of a direct engagement, the auditor shall present the above-mentioned minimum content in all material aspects as part of the audit report so that the intended customers can obtain an appropriate understanding of the information security of the cloud service, including the principles, procedures and measures applied. This includes sufficient information on the general conditions of the cloud service (cf. Section 4). Section 3.4.4.1 ¶ 6 {audit criteria} The report on an attestation engagement includes the following elements: Presentation of the applicable C5 criteria, the associated controls (part of the description), test procedures performed and the individual test results of the auditor. Section 3.4.8 ¶ 2 4. {audit criteria} The report on an attestation engagement includes the following elements: Presentation of the applicable C5 criteria, the associated controls (part of the description), test procedures performed and the individual test results of the auditor. Section 3.4.8 ¶ 2 4. {audit criteria} The report on an attestation engagement includes the following elements: Presentation of the applicable C5 criteria, the associated controls (part of the description), test procedures performed and the individual test results of the auditor. Section 3.4.8 ¶ 2 4. In case of a direct engagement, the components 2 'Written statement' and 3 'Description' are omitted. Nevertheless, the minimum contents of the description mentioned in Section 3.4.4.1 shall be presented in all material respects in the audit report so that the intended customers can obtain an appropriate understanding of the information security of the cloud service, including the principles, procedures and measures applied. This includes sufficient information on the general conditions of the cloud service (cf. Section 4). Such information shall be provided in a separate section, e.g. "Description of the cloud service and the policies, procedures and measures applied by the Cloud Service Provider". Section 3.4.8 ¶ 3 An adjustment of the description may be waived if the descriptions of the auditor's test procedures clearly state how the elements of the C5 criteria not covered by the control description were audited. Such test procedures shall be marked in an appropriate form (e.g. "Further test procedure for assessing full coverage of the C5 criterion"). Section 3.4.6 ¶ 3] | Audits and risk management | Preventive | |
| Include the nature of the tests performed in the description of tests of controls and results in the audit report. CC ID 14908 [The test procedures performed shall be described for both suitability of design (type 1 report) and operating effectiveness (type 2 report) engagements. Section 3.4.8 ¶ 4 An adjustment of the description may be waived if the descriptions of the auditor's test procedures clearly state how the elements of the C5 criteria not covered by the control description were audited. Such test procedures shall be marked in an appropriate form (e.g. "Further test procedure for assessing full coverage of the C5 criterion"). Section 3.4.6 ¶ 3] | Audits and risk management | Preventive | |
| Include the test scope in the description of tests of controls and results in the audit report. CC ID 14906 | Audits and risk management | Preventive | |
| Identify the stakeholders interviewed to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14905 | Audits and risk management | Preventive | |
| Include the controls that were tested in the description of tests of controls and results in the audit report. CC ID 14902 [{in scope system description} In the written statement, management of the Cloud Service Provider confirms that: where mandated (type 2 report), the controls stated in the description operated effectively throughout a specified period. Section 3.4.4.2 ¶ 1 Bullet 3] | Audits and risk management | Preventive | |
| Include subsequent events related to the audit assertion or audit subject matter in the audit report. CC ID 16773 | Audits and risk management | Preventive | |
| Include that the organization is the responsible party for providing in scope services in the audit report. CC ID 14903 | Audits and risk management | Preventive | |
| Include the audit opinion regarding the accurateness of the in scope system description in the audit report. CC ID 07019 [{in scope system description} In the written statement, management of the Cloud Service Provider confirms that: the description fairly presents the Cloud Service Provider's service-related system of internal control to meet the C5 criteria as at a specified date (type 1 report) or throughout a specified period (type 2 report) and includes the minimum content as set forth in Section 3.4.4.1 this criteria catalogue; Section 3.4.4.2 ¶ 1 Bullet 1] | Audits and risk management | Preventive | |
| Include the attestation standards the auditor follows in the audit report. CC ID 07015 [{attestation engagement} The Cloud Service Provider shall select the method to be used at its own discretion and state it accordingly in the description (cf. Section 3.4.4.1 on Minimum Contents of the System Description). Section 3.4.5 ¶ 2 {independent audit report} {audit criteria} The report on an attestation engagement includes the following elements: Scope and C5 version Section 3.4.8 ¶ 2 1 (a)] | Audits and risk management | Preventive | |
| Include an emphasis-of-matter paragraph in the audit report. CC ID 14890 | Audits and risk management | Preventive | |
| Include any out of scope components of in scope systems in the audit report. CC ID 07006 [The report on an attestation engagement includes the following elements: Optional: Other information provided by the Cloud Service Provider (this information is not subject of the audit, and, accordingly, the auditor does not express an opinion thereon). Section 3.4.8 ¶ 2 5.] | Audits and risk management | Preventive | |
| Refrain from including the description of the audit in the audit report when the auditor is disclaiming an audit opinion. CC ID 13975 | Audits and risk management | Preventive | |
| Refrain from including scope limitations from changed attestation engagements in the audit report. CC ID 13983 | Audits and risk management | Preventive | |
| Refrain from including in the audit report any procedures that were performed that the auditor is disclaiming in an audit opinion. CC ID 13974 | Audits and risk management | Preventive | |
| Include deficiencies and non-compliance in the audit report. CC ID 14879 [Irrespective of the assessment as to whether a deviation leads to a qualified opinion, further information should be presented in the audit report. This information is intended to enable report recipients to assess whether the Cloud Service Provider is taking appropriate actions to handle errors and optimise its policies, procedures and actions. The following additional information from the Cloud Service Provider shall be included in the audit report: If the deviation was detected by the Cloud Service Provider itself, when and in the course of which measures the deviation was detected. Section 3.4.7 ¶ 2 Bullet 1 Irrespective of the assessment as to whether a deviation leads to a qualified opinion, further information should be presented in the audit report. This information is intended to enable report recipients to assess whether the Cloud Service Provider is taking appropriate actions to handle errors and optimise its policies, procedures and actions. The following additional information from the Cloud Service Provider shall be included in the audit report: Section 3.4.7 ¶ 2 Irrespective of the assessment as to whether a deviation leads to a qualified opinion, further information should be presented in the audit report. This information is intended to enable report recipients to assess whether the Cloud Service Provider is taking appropriate actions to handle errors and optimise its policies, procedures and actions. The following additional information from the Cloud Service Provider shall be included in the audit report: If the deviation was already stated in a report of a previous audit, an indication should be given of when and by what means the deviation was detected, together with a separate indication that the detection occurred in a previous audit period. This requires that the auditor has access to prior reports from the Cloud Service Provider. In case of doubt, the auditor shall have the inspection of these reports separately assured in his engagement letter. Section 3.4.7 ¶ 2 Bullet 2] | Audits and risk management | Corrective | |
| Include the results of the business impact analysis in the audit report. CC ID 17208 | Audits and risk management | Preventive | |
| Include an audit opinion in the audit report. CC ID 07017 [{independent audit report} The report on an attestation engagement includes the following elements: Audit Opinion Section 3.4.8 ¶ 2 1 (f)] | Audits and risk management | Preventive | |
| Include qualified opinions in the audit report. CC ID 13928 [Deviation handling is regulated in the audit standards. In assessing whether applicable C5 criteria are not met due to identified deviations and whether the opinion needs to be qualified, the auditor must consider the following procedures: Inquiry of management of the Cloud Service Provider regarding their assessment of the cause of the identified deviation; Section 3.4.7 ¶ 1 Bullet 1 Deviation handling is regulated in the audit standards. In assessing whether applicable C5 criteria are not met due to identified deviations and whether the opinion needs to be qualified, the auditor must consider the following procedures: Assessment of the Cloud Service Provider's handling of the identified deviation; Section 3.4.7 ¶ 1 Bullet 2 Deviation handling is regulated in the audit standards. In assessing whether applicable C5 criteria are not met due to identified deviations and whether the opinion needs to be qualified, the auditor must consider the following procedures: Assessment whether comparable deviations have been identified by the Cloud Service Provider's monitoring processes and what measures have been taken as a result; and, Section 3.4.7 ¶ 1 Bullet 3 Deviation handling is regulated in the audit standards. In assessing whether applicable C5 criteria are not met due to identified deviations and whether the opinion needs to be qualified, the auditor must consider the following procedures: Assessment whether comparable deviations have been identified by the Cloud Service Provider's monitoring processes and what measures have been taken as a result; and, Section 3.4.7 ¶ 1 Bullet 3 Deviation handling is regulated in the audit standards. In assessing whether applicable C5 criteria are not met due to identified deviations and whether the opinion needs to be qualified, the auditor must consider the following procedures: Verification whether compensating controls are in place and effective to address the risks arising from the deviation in such a way that the C5 criterion is met with reasonable assurance. This concerns, for example, the assessment of alternative organisational and technical approaches of the Cloud Service Provider to meet the applicable C5 criteria, which have not been considered in the design of the criteria set out in this criteria catalogue. Section 3.4.7 ¶ 1 Bullet 4] | Audits and risk management | Preventive | |
| Include a description of the reasons for modifying the audit opinion in the audit report. CC ID 13898 | Audits and risk management | Corrective | |
| Include that the auditor did not express an opinion in the audit report, as necessary. CC ID 13886 | Audits and risk management | Preventive | |
| Include items that pertain to third parties in the audit report. CC ID 07008 [{independent audit report} {internal control system} The reports include the complementary subservice organisations that are required, together with the controls of the Cloud Service Provider, to meet the applicable basic criteria of BSI C5 with reasonable assurance. SSO-01 ¶ 3] | Audits and risk management | Preventive | |
| Refrain from including reference to procedures performed in previous attestation engagements in the audit report. CC ID 13970 | Audits and risk management | Preventive | |
| Include a statement in the audit report that no procedures were performed subsequent to the date of the practitioner's review report on pro forma financial information, as necessary. CC ID 13969 | Audits and risk management | Preventive | |
| Modify the audit opinion in the audit report under defined conditions. CC ID 13937 | Audits and risk management | Corrective | |
| Include the written signature of the auditor's organization in the audit report. CC ID 13897 | Audits and risk management | Preventive | |
| Include a statement that additional reports are being submitted in the audit report. CC ID 16848 | Audits and risk management | Preventive | |
| Disseminate and communicate the audit report to all interested personnel and affected parties identified in the distribution list. CC ID 07117 [If the specified period ends in a period which is up to three months before February 15, 2021, the Cloud Service Provider shall provide additional information in the system description regarding the necessary changes to its service-related internal control system which have not been completed. The details should include what measures are to be completed or effectively implemented. In the case of a direct engagement, the auditor shall obtain and disclose this information. Section 3.5 ¶ 5] | Audits and risk management | Preventive | |
| Implement a corrective action plan in response to the audit report. CC ID 06777 [If the specified period ends in a period which is up to three months before February 15, 2021, the Cloud Service Provider shall provide additional information in the system description regarding the necessary changes to its service-related internal control system which have not been completed. The details should include what measures are to be completed or effectively implemented. In the case of a direct engagement, the auditor shall obtain and disclose this information. Section 3.5 ¶ 5] | Audits and risk management | Corrective | |
| Include the audit criteria in the audit plan. CC ID 15262 [The criteria in this criteria catalogue shall be applied for periods being assessed ending on or after February 15, 2021. Earlier application of these criteria is permitted. Section 3.5 ¶ 3] | Audits and risk management | Preventive | |
| Include a list of reference documents in the audit plan. CC ID 15260 | Audits and risk management | Preventive | |
| Include the languages to be used for the audit in the audit plan. CC ID 15252 | Audits and risk management | Preventive | |
| Include the allocation of resources in the audit plan. CC ID 15251 | Audits and risk management | Preventive | |
| Include communication protocols in the audit plan. CC ID 15247 | Audits and risk management | Preventive | |
| Include the level of audit sampling necessary to collect sufficient audit evidence in the audit plan. CC ID 15246 | Audits and risk management | Preventive | |
| Include meeting schedules in the audit plan. CC ID 15245 | Audits and risk management | Preventive | |
| Include the time frames for the audit in the audit plan. CC ID 15244 | Audits and risk management | Preventive | |
| Include the time frames for conducting the audit in the audit plan. CC ID 15243 | Audits and risk management | Preventive | |
| Include the locations to be audited in the audit plan. CC ID 15242 | Audits and risk management | Preventive | |
| Include the processes to be audited in the audit plan. CC ID 15241 | Audits and risk management | Preventive | |
| Include audit objectives in the audit plan. CC ID 15240 | Audits and risk management | Preventive | |
| Include the risks associated with audit activities in the audit plan. CC ID 15239 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a risk management program. CC ID 12051 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a risk management policy. CC ID 17192 [{annual basis} The Cloud Service Provider executes the process for handling risks as needed or at least once a year. The following aspects are taken into account when identifying risks, insofar as they are applicable to the cloud service provided and are within the area of responsibility of the Cloud Service Provider: OIS-07 ¶ 1] | Audits and risk management | Preventive | |
| Establish, implement, and maintain the risk assessment framework. CC ID 00685 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a risk assessment program. CC ID 00687 [Identified vulnerabilities and deviations are subject to risk assessment in accordance with the risk management procedure (cf. OIS-06) and follow-up measures are defined and tracked (cf. OPS-18). COS-03 ¶ 3] | Audits and risk management | Preventive | |
| Include the information flow of restricted data in the risk assessment program. CC ID 12339 [{confidentiality} {authentication information} Deviations are evaluated by means of a risk analysis and mitigating measures derived from this are implemented. IDM-08 ¶ 2] | Audits and risk management | Preventive | |
| Establish, implement, and maintain insurance requirements. CC ID 16562 | Audits and risk management | Preventive | |
| Address cybersecurity risks in the risk assessment program. CC ID 13193 | Audits and risk management | Preventive | |
| Include the categories of data used by the system in the fundamental rights impact assessment. CC ID 17248 | Audits and risk management | Preventive | |
| Include metrics in the fundamental rights impact assessment. CC ID 17249 | Audits and risk management | Preventive | |
| Include the benefits of the system in the fundamental rights impact assessment. CC ID 17244 | Audits and risk management | Preventive | |
| Include user safeguards in the fundamental rights impact assessment. CC ID 17255 | Audits and risk management | Preventive | |
| Include the outputs produced by the system in the fundamental rights impact assessment. CC ID 17247 | Audits and risk management | Preventive | |
| Include the purpose in the fundamental rights impact assessment. CC ID 17243 | Audits and risk management | Preventive | |
| Include monitoring procedures in the fundamental rights impact assessment. CC ID 17254 | Audits and risk management | Preventive | |
| Include risk management measures in the fundamental rights impact assessment. CC ID 17224 | Audits and risk management | Preventive | |
| Include human oversight measures in the fundamental rights impact assessment. CC ID 17223 | Audits and risk management | Preventive | |
| Include risks in the fundamental rights impact assessment. CC ID 17222 | Audits and risk management | Preventive | |
| Include affected parties in the fundamental rights impact assessment. CC ID 17221 | Audits and risk management | Preventive | |
| Include the frequency in the fundamental rights impact assessment. CC ID 17220 | Audits and risk management | Preventive | |
| Include the usage duration in the fundamental rights impact assessment. CC ID 17219 | Audits and risk management | Preventive | |
| Include system use in the fundamental rights impact assessment. CC ID 17218 | Audits and risk management | Preventive | |
| Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371 | Audits and risk management | Preventive | |
| Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a risk assessment policy. CC ID 14026 | Audits and risk management | Preventive | |
| Include compliance requirements in the risk assessment policy. CC ID 14121 | Audits and risk management | Preventive | |
| Include coordination amongst entities in the risk assessment policy. CC ID 14120 | Audits and risk management | Preventive | |
| Include management commitment in the risk assessment policy. CC ID 14119 | Audits and risk management | Preventive | |
| Include roles and responsibilities in the risk assessment policy. CC ID 14118 | Audits and risk management | Preventive | |
| Include the scope in the risk assessment policy. CC ID 14117 | Audits and risk management | Preventive | |
| Include the purpose in the risk assessment policy. CC ID 14116 | Audits and risk management | Preventive | |
| Establish, implement, and maintain risk assessment procedures. CC ID 06446 [{annual basis} The analysis, evaluation and treatment of risks, including the approval of actions and acceptance of residual risks, is reviewed for adequacy at least annually by the risk owners. OIS-07 ¶ 2 {vulnerabilities} {assets} The online register is easily accessible to any cloud customer. The information contained therein forms a suitable basis for risk assessment and possible follow-up measures on the part of cloud users. PSS-03 ¶ 3] | Audits and risk management | Preventive | |
| Employ risk assessment procedures that take into account information classification. CC ID 06477 [The Cloud Service Provider executes the process for handling risks as needed or at least once a year. The following aspects are taken into account when identifying risks, insofar as they are applicable to the cloud service provided and are within the area of responsibility of the Cloud Service Provider: Processing, storage or transmission of data of cloud customers with different protection needs; OIS-07 ¶ 1 Bullet 1] | Audits and risk management | Preventive | |
| Employ risk assessment procedures that take into account the target environment. CC ID 06479 [The Cloud Service Provider executes the process for handling risks as needed or at least once a year. The following aspects are taken into account when identifying risks, insofar as they are applicable to the cloud service provided and are within the area of responsibility of the Cloud Service Provider: Occurrence of vulnerabilities and malfunctions in technical protective measures for separating shared resources; OIS-07 ¶ 1 Bullet 2] | Audits and risk management | Preventive | |
| Include the probability and potential impact of pandemics in the scope of the risk assessment. CC ID 13241 | Audits and risk management | Preventive | |
| Include physical assets in the scope of the risk assessment. CC ID 13075 [Security requirements for premises and buildings related to the cloud service provided, are based on the security objectives of the information security policy, identified protection requirements for the cloud service and the assessment of risks to physical and environmental security. The security requirements are documented, communicated and provided in a policy or concept according to SP-01. PS-01 ¶ 1] | Audits and risk management | Preventive | |
| Document any reasons for modifying or refraining from modifying the organization's risk assessment when the risk assessment has been reviewed. CC ID 13312 | Audits and risk management | Preventive | |
| Create a risk assessment report based on the risk assessment results. CC ID 15695 | Audits and risk management | Preventive | |
| Include recovery of the critical path in the Business Impact Analysis. CC ID 13224 | Audits and risk management | Preventive | |
| Include acceptable levels of data loss in the Business Impact Analysis. CC ID 13264 | Audits and risk management | Preventive | |
| Include Recovery Point Objectives in the Business Impact Analysis. CC ID 13223 [Policies and instructions to determine the impact of any malfunction to the cloud service or enterprise are documented, communicated and made available in accordance with SP-01. The following aspects are considered as minimum: Determination of time targets for the maximum reasonable period during which data can be lost and not recovered (RPO); and BCM-02 ¶ 1 Bullet 9] | Audits and risk management | Preventive | |
| Include the Recovery Time Objectives in the Business Impact Analysis. CC ID 13222 [Policies and instructions to determine the impact of any malfunction to the cloud service or enterprise are documented, communicated and made available in accordance with SP-01. The following aspects are considered as minimum: Determination of time targets for the resumption of critical products and services within the maximum acceptable time period (RTO); BCM-02 ¶ 1 Bullet 8] | Audits and risk management | Preventive | |
| Include pandemic risks in the Business Impact Analysis. CC ID 13219 | Audits and risk management | Preventive | |
| Include tolerance to downtime in the Business Impact Analysis report. CC ID 01172 [The risk assessment includes the identification, analysis, evaluation, handling and documentation of risks with regard to the following aspects: Impact of a protection breach on the provision of the cloud service; SSO-02 ¶ 2 Bullet 2] | Audits and risk management | Preventive | |
| Establish, implement, and maintain a risk register. CC ID 14828 | Audits and risk management | Preventive | |
| Establish a risk acceptance level that is appropriate to the organization's risk appetite. CC ID 00706 [Policies and instructions for risk management procedures are documented, communicated and provided in accordance with SP-01 for the following aspects: Evaluation of the risk analysis based on defined criteria for risk acceptance and prioritisation of handling; OIS-06 ¶ 1 Bullet 3] | Audits and risk management | Preventive | |
| Select the appropriate risk treatment option for each identified risk in the risk register. CC ID 06483 [The risk assessment includes the identification, analysis, evaluation, handling and documentation of risks with regard to the following aspects: SSO-02 ¶ 2] | Audits and risk management | Preventive | |
| Establish, implement, and maintain a risk treatment plan. CC ID 11983 [{annual basis} The analysis, evaluation and treatment of risks, including the approval of actions and acceptance of residual risks, is reviewed for adequacy at least annually by the risk owners. OIS-07 ¶ 2 {annual basis} The analysis, evaluation and treatment of risks, including the approval of actions and acceptance of residual risks, is reviewed for adequacy at least annually by the risk owners. OIS-07 ¶ 2 Identified vulnerabilities and deviations are subject to risk assessment in accordance with the risk management procedure (cf. OIS-06) and follow-up measures are defined and tracked (cf. OPS-18). COS-03 ¶ 3] | Audits and risk management | Preventive | |
| Include roles and responsibilities in the risk treatment plan. CC ID 16991 | Audits and risk management | Preventive | |
| Include time information in the risk treatment plan. CC ID 16993 | Audits and risk management | Preventive | |
| Include allocation of resources in the risk treatment plan. CC ID 16989 | Audits and risk management | Preventive | |
| Include the date of the risk assessment in the risk treatment plan. CC ID 16321 | Audits and risk management | Preventive | |
| Include requirements for monitoring and reporting in the risk treatment plan, as necessary. CC ID 13620 | Audits and risk management | Preventive | |
| Document all constraints applied to the risk treatment plan, as necessary. CC ID 13619 | Audits and risk management | Preventive | |
| Document and communicate a corrective action plan based on the risk assessment findings. CC ID 00705 [{confidentiality} {authentication information} Deviations are evaluated by means of a risk analysis and mitigating measures derived from this are implemented. IDM-08 ¶ 2] | Audits and risk management | Corrective | |
| Document residual risk in a residual risk report. CC ID 13664 | Audits and risk management | Corrective | |
| Establish, implement, and maintain a supply chain risk management plan. CC ID 14713 [The Cloud Service Provider executes the process for handling risks as needed or at least once a year. The following aspects are taken into account when identifying risks, insofar as they are applicable to the cloud service provided and are within the area of responsibility of the Cloud Service Provider: Dependencies on subservice organisations. OIS-07 ¶ 1 Bullet 5] | Audits and risk management | Preventive | |
| Include processes for monitoring and reporting in the supply chain risk management plan. CC ID 15619 | Audits and risk management | Preventive | |
| Include dates in the supply chain risk management plan. CC ID 15617 | Audits and risk management | Preventive | |
| Include implementation milestones in the supply chain risk management plan. CC ID 15615 | Audits and risk management | Preventive | |
| Include roles and responsibilities in the supply chain risk management plan. CC ID 15613 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a disclosure report. CC ID 15521 | Audits and risk management | Preventive | |
| Include metrics in the disclosure report. CC ID 15916 | Audits and risk management | Preventive | |
| Include operational metrics in the disclosure report. CC ID 15939 | Audits and risk management | Preventive | |
| Include incident management metrics in the disclosure report. CC ID 15926 | Audits and risk management | Preventive | |
| Establish, implement, and maintain an access classification scheme. CC ID 00509 [{access classification scheme} {access rights management plan} A role and rights concept based on the business and security requirements of the Cloud Service Provider as well as a policy for managing user accounts and access rights for internal and external employees of the Cloud Service Provider and system components that have a role in automated authorisation processes of the Cloud Service Provider are documented, communicated and made available according to SP-01: IDM-01 ¶ 1] | Technical security | Preventive | |
| Interpret and apply security requirements based upon the information classification of the system. CC ID 00003 [Ensure the protection of information in networks and the corresponding information processing systems Section 5.9 Objective Policies and instructions with technical and organisational safeguards in order to protect the transmission of data against unauthorised interception, manipulation, copying, modification, redirection or destruction are documented, communicated and provided according to SP-01. The policies and instructions establish a reference to the classification of information (cf. AM-06). COS-08 ¶ 1] | Technical security | Preventive | |
| Establish, implement, and maintain security classifications for organizational assets. CC ID 00005 [Assets are classified and, if possible, labelled. Classification and labelling of an asset reflect the protection needs of the information it processes, stores, or transmits. AM-06 ¶ 1] | Technical security | Preventive | |
| Establish, implement, and maintain a digital identity management program. CC ID 13713 | Technical security | Preventive | |
| Establish, implement, and maintain digital identification procedures. CC ID 13714 | Technical security | Preventive | |
| Establish, implement, and maintain an access control program. CC ID 11702 [Access controls are supported by an access control system. PS-04 ¶ 2] | Technical security | Preventive | |
| Include instructions to change authenticators as often as necessary in the access control program. CC ID 11931 [If passwords are used as authentication information for the cloud service, their confidentiality is ensured by the following procedures: The user is informed about changing or resetting the password. PSS-07 ¶ 1 Bullet 3] | Technical security | Preventive | |
| Include guidance on selecting authentication credentials in the access control program. CC ID 11928 [The allocation of authentication information to access system components used to provide the cloud service to internal and external users of the cloud provider and system components that are involved in automated authorisation processes of the cloud provider is done in an orderly manner that ensures the confidentiality of the information. If passwords are used as authentication information, their confidentiality is ensured by the following procedures, as far as technically possible: Users can initially create the password themselves or must change an initial password when logging on to the system component for the first time. An initial password loses its validity after a maximum of 14 days. IDM-08 ¶ 1 Bullet 1 If passwords are used as authentication information for the cloud service, their confidentiality is ensured by the following procedures: Users can initially create the password themselves or must change an initial password when logging in to the cloud service for the first time. An initial password loses its validity after a maximum of 14 days. PSS-07 ¶ 1 Bullet 1] | Technical security | Preventive | |
| Establish, implement, and maintain access control policies. CC ID 00512 | Technical security | Preventive | |
| Include compliance requirements in the access control policy. CC ID 14006 | Technical security | Preventive | |
| Include coordination amongst entities in the access control policy. CC ID 14005 | Technical security | Preventive | |
| Include management commitment in the access control policy. CC ID 14004 | Technical security | Preventive | |
| Include roles and responsibilities in the access control policy. CC ID 14003 [Access rights of internal and external employees of the Cloud Service Provider as well as of system components that play a role in automated authorisation processes of the Cloud Service Provider are reviewed at least once a year to ensure that they still correspond to the actual area of use. The review is carried out by authorised persons from the Cloud Service Provider's organisational units, who can assess the appropriateness of the assigned access rights based on their knowledge of the task areas of the employees or system components. Identified deviations will be dealt with promptly, but no later than 7 days after their detection, by appropriate modification or withdrawal of the access rights. IDM-05 ¶ 1] | Technical security | Preventive | |
| Include the scope in the access control policy. CC ID 14002 | Technical security | Preventive | |
| Include the purpose in the access control policy. CC ID 14001 | Technical security | Preventive | |
| Document the business need justification for user accounts. CC ID 15490 | Technical security | Preventive | |
| Disseminate and communicate the access control policies to all interested personnel and affected parties. CC ID 10061 [{access classification scheme} {access rights management plan} A role and rights concept based on the business and security requirements of the Cloud Service Provider as well as a policy for managing user accounts and access rights for internal and external employees of the Cloud Service Provider and system components that have a role in automated authorisation processes of the Cloud Service Provider are documented, communicated and made available according to SP-01: IDM-01 ¶ 1 {access classification scheme} {access rights management plan} A role and rights concept based on the business and security requirements of the Cloud Service Provider as well as a policy for managing user accounts and access rights for internal and external employees of the Cloud Service Provider and system components that have a role in automated authorisation processes of the Cloud Service Provider are documented, communicated and made available according to SP-01: IDM-01 ¶ 1] | Technical security | Preventive | |
| Establish, implement, and maintain an access rights management plan. CC ID 00513 [{access classification scheme} {access rights management plan} A role and rights concept based on the business and security requirements of the Cloud Service Provider as well as a policy for managing user accounts and access rights for internal and external employees of the Cloud Service Provider and system components that have a role in automated authorisation processes of the Cloud Service Provider are documented, communicated and made available according to SP-01: IDM-01 ¶ 1 {access roles} {access rights} The type and scope of the information provided will be based on the needs of subject matter experts of the cloud customers who set information security requirements, implement them or verify the implementation (e.g. IT, Compliance, Internal Audit). The information in the guidelines and recommendations for the secure use of the cloud service address the following aspects, where applicable to the cloud service: Roles and rights concept including combinations that result in an elevated risk; and PSS-01 ¶ 2 Bullet 5 {access rights management plan} The Cloud Service Provider provides cloud users with a roles and rights concept for managing access rights. It describes rights profiles for the functions provided by the cloud service. PSS-08 ¶ 1] | Technical security | Preventive | |
| Inventory all user accounts. CC ID 13732 | Technical security | Preventive | |
| Establish, implement, and maintain a system use agreement for each information system. CC ID 06500 [{maintain} {confidentiality} The users sign a declaration in which they assure that they treat personal (or shared) authentication information confidentially and keep it exclusively for themselves (within the members of the group). IDM-08 ¶ 3] | Technical security | Preventive | |
| Establish and maintain a list of individuals authorized to perform privileged functions. CC ID 17005 | Technical security | Preventive | |
| Establish, implement, and maintain a password policy. CC ID 16346 [System components in the Cloud Service Provider's area of responsibility that are used to provide the cloud service, authenticate users of the Cloud Service Provider's internal and external employees as well as system components that are involved in the Cloud Service Provider's automated authorisation processes. Access to the production environment requires two-factor or multi-factor authentication. Within the production environment, user authentication takes place through passwords, digitally signed certificates or procedures that achieve at least an equivalent level of security. If digitally signed certificates are used, administration is carried out in accordance with the Guideline for Key Management (cf. CRY-01). The password requirements are derived from a risk assessment and documented, communicated and provided in a password policy according to SP-01. Compliance with the requirements is enforced by the configuration of the system components, as far as technically possible. IDM-09 ¶ 1] | Technical security | Preventive | |
| Disseminate and communicate the password policies and password procedures to all users who have access to restricted data or restricted information. CC ID 00518 | Technical security | Preventive | |
| Establish, implement, and maintain biometric collection procedures. CC ID 15419 | Technical security | Preventive | |
| Establish, implement, and maintain access control procedures. CC ID 11663 | Technical security | Preventive | |
| Document approving and granting access in the access control log. CC ID 06786 [A role and rights concept based on the business and security requirements of the Cloud Service Provider as well as a policy for managing user accounts and access rights for internal and external employees of the Cloud Service Provider and system components that have a role in automated authorisation processes of the Cloud Service Provider are documented, communicated and made available according to SP-01: Approval by authorised individual(s) or system(s) for granting or modifying user accounts and access rights before data of the cloud customer or system components used to provision the cloud service can be accessed; IDM-01 ¶ 1 Bullet 5 A role and rights concept based on the business and security requirements of the Cloud Service Provider as well as a policy for managing user accounts and access rights for internal and external employees of the Cloud Service Provider and system components that have a role in automated authorisation processes of the Cloud Service Provider are documented, communicated and made available according to SP-01: Requirements for the approval and documentation of the management of user accounts and access rights. IDM-01 ¶ 1 Bullet 10] | Technical security | Preventive | |
| Include the user identifiers of all personnel who are authorized to access a system in the system record. CC ID 15171 | Technical security | Preventive | |
| Include identity information of all personnel who are authorized to access a system in the system record. CC ID 16406 | Technical security | Preventive | |
| Include the date and time that access rights were changed in the system record. CC ID 16415 | Technical security | Preventive | |
| Establish, implement, and maintain an identification and authentication policy. CC ID 14033 [Secure the authorisation and authentication of users of the Cloud Service Provider (typically privileged users) to prevent unauthorised access. Section 5.7 Objective] | Technical security | Preventive | |
| Include the purpose in the identification and authentication policy. CC ID 14234 | Technical security | Preventive | |
| Include the scope in the identification and authentication policy. CC ID 14232 | Technical security | Preventive | |
| Include roles and responsibilities in the identification and authentication policy. CC ID 14230 | Technical security | Preventive | |
| Include management commitment in the identification and authentication policy. CC ID 14229 | Technical security | Preventive | |
| Include coordination amongst entities in the identification and authentication policy. CC ID 14227 | Technical security | Preventive | |
| Include compliance requirements in the identification and authentication policy. CC ID 14225 | Technical security | Preventive | |
| Establish the requirements for Authentication Assurance Levels. CC ID 16958 | Technical security | Preventive | |
| Establish, implement, and maintain identification and authentication procedures. CC ID 14053 [Between logging servers and the assets to be logged, authentication takes place to protect the integrity and authenticity of the information transmitted and stored. The transfer takes place using state-of-the-art encryption or a dedicated administration network (out-of-band management). OPS-14 ¶ 2 System components in the Cloud Service Provider's area of responsibility that are used to provide the cloud service, authenticate users of the Cloud Service Provider's internal and external employees as well as system components that are involved in the Cloud Service Provider's automated authorisation processes. Access to the production environment requires two-factor or multi-factor authentication. Within the production environment, user authentication takes place through passwords, digitally signed certificates or procedures that achieve at least an equivalent level of security. If digitally signed certificates are used, administration is carried out in accordance with the Guideline for Key Management (cf. CRY-01). The password requirements are derived from a risk assessment and documented, communicated and provided in a password policy according to SP-01. Compliance with the requirements is enforced by the configuration of the system components, as far as technically possible. IDM-09 ¶ 1 System components in the Cloud Service Provider's area of responsibility that are used to provide the cloud service, authenticate users of the Cloud Service Provider's internal and external employees as well as system components that are involved in the Cloud Service Provider's automated authorisation processes. Access to the production environment requires two-factor or multi-factor authentication. Within the production environment, user authentication takes place through passwords, digitally signed certificates or procedures that achieve at least an equivalent level of security. If digitally signed certificates are used, administration is carried out in accordance with the Guideline for Key Management (cf. CRY-01). The password requirements are derived from a risk assessment and documented, communicated and provided in a password policy according to SP-01. Compliance with the requirements is enforced by the configuration of the system components, as far as technically possible. IDM-09 ¶ 1 The type and scope of the information provided will be based on the needs of subject matter experts of the cloud customers who set information security requirements, implement them or verify the implementation (e.g. IT, Compliance, Internal Audit). The information in the guidelines and recommendations for the secure use of the cloud service address the following aspects, where applicable to the cloud service: Authentication mechanisms; PSS-01 ¶ 2 Bullet 4] | Technical security | Preventive | |
| Establish and maintain a memorized secret list. CC ID 13791 | Technical security | Preventive | |
| Establish, implement, and maintain a network configuration standard. CC ID 00530 | Technical security | Preventive | |
| Establish, implement, and maintain network segmentation requirements. CC ID 16380 [{trusted network} A distinction is made between trusted and untrusted networks. Based on a risk assessment, these are separated into different security zones for internal and external network areas (and DMZ, if applicable). Physical and virtualised network environments are designed and configured to restrict and monitor the established connection to trusted or untrusted networks according to the defined security requirements. COS-03 ¶ 1 Specific security requirements are designed, published and provided for establishing connections within the Cloud Service Provider's network. The security requirements define for the Cloud Service Provider's area of responsibility: in which cases the security zones are to be separated and in which cases cloud customers are to be logically or physically segregated; COS-02 ¶ 1 Bullet 1 Specific security requirements are designed, published and provided for establishing connections within the Cloud Service Provider's network. The security requirements define for the Cloud Service Provider's area of responsibility: how the data traffic for administration and monitoring is segregated from each on network level; COS-02 ¶ 1 Bullet 3] | Technical security | Preventive | |
| Establish, implement, and maintain a network security policy. CC ID 06440 | Technical security | Preventive | |
| Include compliance requirements in the network security policy. CC ID 14205 | Technical security | Preventive | |
| Include coordination amongst entities in the network security policy. CC ID 14204 | Technical security | Preventive | |
| Include management commitment in the network security policy. CC ID 14203 | Technical security | Preventive | |
| Include roles and responsibilities in the network security policy. CC ID 14202 | Technical security | Preventive | |
| Include the scope in the network security policy. CC ID 14201 | Technical security | Preventive | |
| Include the purpose in the network security policy. CC ID 14200 | Technical security | Preventive | |
| Establish, implement, and maintain system and communications protection procedures. CC ID 14052 [Specific security requirements are designed, published and provided for establishing connections within the Cloud Service Provider's network. The security requirements define for the Cloud Service Provider's area of responsibility: COS-02 ¶ 1] | Technical security | Preventive | |
| Include usage restrictions for Bluetooth in the wireless networking policy. CC ID 16443 | Technical security | Preventive | |
| Maintain up-to-date network diagrams. CC ID 00531 [{be up-to-date} The documentation of the logical structure of the network used to provision or operate the Cloud Service, is traceable and up-to-date, in order to avoid administrative errors during live operation and to ensure timely recovery in the event of malfunctions in accordance with contractual obligations. The documentation shows how the subnets are allocated and how the network is zoned and segmented. In addition, the geographical locations in which the cloud customers' data is stored are indicated. COS-07 ¶ 1] | Technical security | Preventive | |
| Include the date of the most recent update on the network diagram. CC ID 14319 | Technical security | Preventive | |
| Include the organization's name in the network diagram. CC ID 14318 | Technical security | Preventive | |
| Include Internet Protocol addresses in the network diagram. CC ID 16244 | Technical security | Preventive | |
| Include Domain Name System names in the network diagram. CC ID 16240 | Technical security | Preventive | |
| Accept, by formal signature, the security implications of the network topology. CC ID 12323 | Technical security | Preventive | |
| Establish, implement, and maintain a sensitive information inventory. CC ID 13736 | Technical security | Detective | |
| Include information flows to third parties in the data flow diagram. CC ID 13185 | Technical security | Preventive | |
| Document where data-at-rest and data in transit is encrypted on the data flow diagram. CC ID 16412 | Technical security | Preventive | |
| Establish, implement, and maintain a Boundary Defense program. CC ID 00544 [Each network perimeter is controlled by security gateways. The system access authorisation for cross-network access is based on a security assessment based on the requirements of the cloud customers. COS-04 ¶ 1 {be redundant} {be available} Each network perimeter is controlled by redundant and highly-available security gateways. COS-04 ¶ 2] | Technical security | Preventive | |
| Establish, implement, and maintain a network access control standard. CC ID 00546 [Each network perimeter is controlled by security gateways. The system access authorisation for cross-network access is based on a security assessment based on the requirements of the cloud customers. COS-04 ¶ 1] | Technical security | Preventive | |
| Secure the network access control standard against unauthorized changes. CC ID 11920 | Technical security | Preventive | |
| Include compensating controls implemented for insecure protocols in the firewall and router configuration standard. CC ID 11948 [{insecure protocol} At specified intervals, the business justification for using all services, protocols, and ports is reviewed. The review also includes the justifications for compensatory measures for the use of protocols that are considered insecure. COS-03 ¶ 4] | Technical security | Preventive | |
| Include network diagrams that identify connections between all subnets and wireless networks in the firewall and router configuration standard. CC ID 12434 [{be up-to-date} The documentation of the logical structure of the network used to provision or operate the Cloud Service, is traceable and up-to-date, in order to avoid administrative errors during live operation and to ensure timely recovery in the event of malfunctions in accordance with contractual obligations. The documentation shows how the subnets are allocated and how the network is zoned and segmented. In addition, the geographical locations in which the cloud customers' data is stored are indicated. COS-07 ¶ 1] | Technical security | Preventive | |
| Include network diagrams that identify storage or processing locations of all restricted data in the firewall and router configuration standard. CC ID 12426 [{be up-to-date} The documentation of the logical structure of the network used to provision or operate the Cloud Service, is traceable and up-to-date, in order to avoid administrative errors during live operation and to ensure timely recovery in the event of malfunctions in accordance with contractual obligations. The documentation shows how the subnets are allocated and how the network is zoned and segmented. In addition, the geographical locations in which the cloud customers' data is stored are indicated. COS-07 ¶ 1] | Technical security | Preventive | |
| Include a protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 00537 | Technical security | Preventive | |
| Include approval of the protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 12547 [Specific security requirements are designed, published and provided for establishing connections within the Cloud Service Provider's network. The security requirements define for the Cloud Service Provider's area of responsibility: which communication relationships and which network and application protocols are permitted in each case; COS-02 ¶ 1 Bullet 2] | Technical security | Preventive | |
| Establish, implement, and maintain information flow control configuration standards. CC ID 01924 | Technical security | Preventive | |
| Establish, implement, and maintain information flow control policies inside the system and between interconnected systems. CC ID 01410 [Policies and instructions with technical and organisational safeguards in order to protect the transmission of data against unauthorised interception, manipulation, copying, modification, redirection or destruction are documented, communicated and provided according to SP-01. The policies and instructions establish a reference to the classification of information (cf. AM-06). COS-08 ¶ 1] | Technical security | Preventive | |
| Establish, implement, and maintain a document printing policy. CC ID 14384 | Technical security | Preventive | |
| Include printing to personal printers during a continuity event in the document printing policy. CC ID 14396 | Technical security | Preventive | |
| Establish, implement, and maintain information exchange procedures. CC ID 11782 | Technical security | Preventive | |
| Include the connected Information Technology assets in the information exchange procedures. CC ID 17025 | Technical security | Preventive | |
| Include connection termination procedures in the information exchange procedures. CC ID 17027 | Technical security | Preventive | |
| Include the data sensitivity levels in the information exchange procedures. CC ID 17024 | Technical security | Preventive | |
| Include communication requirements in the information exchange procedures. CC ID 17026 [Specific security requirements are designed, published and provided for establishing connections within the Cloud Service Provider's network. The security requirements define for the Cloud Service Provider's area of responsibility: which cross-network communication is allowed. COS-02 ¶ 1 Bullet 5] | Technical security | Preventive | |
| Include roles and responsibilities in the information exchange procedures. CC ID 17023 | Technical security | Preventive | |
| Include contact information in the information exchange procedures. CC ID 17307 | Technical security | Preventive | |
| Include implementation procedures in the information exchange procedures. CC ID 17022 | Technical security | Preventive | |
| Include security controls in the information exchange procedures. CC ID 17021 | Technical security | Preventive | |
| Include testing procedures in the information exchange procedures. CC ID 17020 | Technical security | Preventive | |
| Include measurement criteria in the information exchange procedures. CC ID 17019 | Technical security | Preventive | |
| Include training requirements in the information exchange procedures. CC ID 17017 | Technical security | Preventive | |
| Revoke membership in the allowlist, as necessary. CC ID 13827 | Technical security | Corrective | |
| Document and approve requests to bypass multifactor authentication. CC ID 15464 | Technical security | Preventive | |
| Include monitoring procedures in the encryption management and cryptographic controls policy. CC ID 17207 | Technical security | Preventive | |
| Include mitigation measures in the encryption management and cryptographic controls policy. CC ID 17206 | Technical security | Preventive | |
| Establish, implement, and maintain encryption management procedures. CC ID 15475 | Technical security | Preventive | |
| Establish, implement, and maintain cryptographic key management procedures. CC ID 00571 [Procedures and technical safeguards for secure key management in the area of responsibility of the Cloud Service Provider include at least the following aspects: Changing or updating cryptographic keys including policies defining under which conditions and in which manner the changes and/or updates are to be realised; CRY-04 ¶ 1 Bullet 5] | Technical security | Preventive | |
| Include recommended cryptographic key management procedures for cloud service providers in the cryptographic key management procedures. CC ID 13152 [Procedures and technical safeguards for secure key management in the area of responsibility of the Cloud Service Provider include at least the following aspects: If pre-shared keys are used, the specific provisions relating to the safe use of this procedure are specified separately. CRY-04 ¶ 1 Bullet 8] | Technical security | Preventive | |
| Include requesting cryptographic key types in the cryptographic key management procedures. CC ID 13151 [Procedures and technical safeguards for secure key management in the area of responsibility of the Cloud Service Provider include at least the following aspects: Secure storage of keys (separation of key management system from application and middleware level) including description of how authorised users get access; CRY-04 ¶ 1 Bullet 4] | Technical security | Preventive | |
| Include cryptographic key expiration in the cryptographic key management procedures. CC ID 17079 | Technical security | Preventive | |
| Include the establishment of cryptographic keys in the cryptographic key management procedures. CC ID 06540 [Procedures and technical safeguards for secure key management in the area of responsibility of the Cloud Service Provider include at least the following aspects: Provisioning and activation of the keys; CRY-04 ¶ 1 Bullet 3] | Technical security | Preventive | |
| Include offsite backups of cryptographic keys in the cryptographic key management procedures. CC ID 13127 | Technical security | Preventive | |
| Establish, implement, and maintain requirements for Personal Identity Verification authentication certificates. CC ID 06587 [System components in the Cloud Service Provider's area of responsibility that are used to provide the cloud service, authenticate users of the Cloud Service Provider's internal and external employees as well as system components that are involved in the Cloud Service Provider's automated authorisation processes. Access to the production environment requires two-factor or multi-factor authentication. Within the production environment, user authentication takes place through passwords, digitally signed certificates or procedures that achieve at least an equivalent level of security. If digitally signed certificates are used, administration is carried out in accordance with the Guideline for Key Management (cf. CRY-01). The password requirements are derived from a risk assessment and documented, communicated and provided in a password policy according to SP-01. Compliance with the requirements is enforced by the configuration of the system components, as far as technically possible. IDM-09 ¶ 1] | Technical security | Preventive | |
| Include signing and issuing Public Key certificates in the Public Key certificate procedures. CC ID 11817 [Procedures and technical safeguards for secure key management in the area of responsibility of the Cloud Service Provider include at least the following aspects: Issuing and obtaining public-key certificates; CRY-04 ¶ 1 Bullet 2] | Technical security | Preventive | |
| Include access to issued Public Key certificates in the Public Key certificate procedures. CC ID 07086 [Procedures and technical safeguards for secure key management in the area of responsibility of the Cloud Service Provider include at least the following aspects: Issuing and obtaining public-key certificates; CRY-04 ¶ 1 Bullet 2] | Technical security | Preventive | |
| Establish, implement, and maintain a malicious code protection program. CC ID 00574 [{acceptable use policy} Policies and instructions for acceptable use and safe handling of assets are documented, communicated and provided in accordance with SP-01 and address the following aspects of the asset lifecycle as applicable to the asset: Protection against malware; AM-02 ¶ 1 Bullet 8] | Technical security | Preventive | |
| Establish, implement, and maintain malicious code protection procedures. CC ID 15483 [Ensure proper and regular operation, including appropriate measures for planning and monitoring capacity, protection against malware, logging and monitoring events, and dealing with vulnerabilities, malfunctions and failures. Section 5.6 Objective Policies and instructions with specifications for protection against malware are documented, communicated, and provided in accordance with SP-01 with respect to the following aspects: OPS-04 ¶ 1] | Technical security | Preventive | |
| Establish, implement, and maintain a malicious code protection policy. CC ID 15478 | Technical security | Preventive | |
| Establish, implement, and maintain a virtual environment and shared resources security program. CC ID 06551 | Technical security | Preventive | |
| Establish, implement, and maintain procedures for provisioning shared resources. CC ID 12181 [The contract between the Cloud Service Provider and the cloud customer regulates which data is made available to the cloud customer for his own analysis in the event of security incidents. SIM-03 ¶ 4 The Cloud Service Provider grants its cloud customers contractually guaranteed information and audit rights. COM-02 ¶ 2] | Technical security | Preventive | |
| Establish, implement, and maintain a physical and environmental protection policy. CC ID 14030 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain physical and environmental protection procedures. CC ID 14061 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a physical security program. CC ID 11757 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a facility physical security program. CC ID 00711 [The cloud service is provided from two locations that are redundant to each other. The locations meet the security requirements of the Cloud Service Provider (cf. PS-01 Security Concept) and are located in an adequate distance to each other to achieve operational redundancy. Operational redundancy is designed in a way that ensures that the availability requirements specified in the service level agreement are met. The functionality of the redundancy is checked at least annually by suitable tests and exercises (cf. BCM-04 – Verification, updating and testing of business continuity). PS-02 ¶ 1 The structural shell of premises and buildings related to the cloud service provided are physically solid and protected by adequate security measures that meet the security requirements of the Cloud Service Provider (cf. PS-01 Security Concept). PS-03 ¶ 1 Security requirements for premises and buildings related to the cloud service provided, are based on the security objectives of the information security policy, identified protection requirements for the cloud service and the assessment of risks to physical and environmental security. The security requirements are documented, communicated and provided in a policy or concept according to SP-01. PS-01 ¶ 1] | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain opening procedures for businesses. CC ID 16671 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain closing procedures for businesses. CC ID 16670 | Physical and environmental protection | Preventive | |
| Establish and maintain a contract for accessing facilities that transmit, process, or store restricted data. CC ID 12050 | Physical and environmental protection | Preventive | |
| Include identification cards or badges in the physical security program. CC ID 14818 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain security procedures for virtual meetings. CC ID 15581 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain floor plans. CC ID 16419 | Physical and environmental protection | Preventive | |
| Include network infrastructure and cabling infrastructure on the floor plan. CC ID 16420 | Physical and environmental protection | Preventive | |
| Identify and document physical access controls for all physical entry points. CC ID 01637 [At access points to premises and buildings related to the cloud service provided, physical access controls are set up in accordance with the Cloud Service Provider's security requirements (cf. PS-01 Security Concept) to prevent unauthorised access. PS-04 ¶ 1] | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain lost or damaged identification card procedures, as necessary. CC ID 14819 | Physical and environmental protection | Preventive | |
| Document all lost badges in a lost badge list. CC ID 12448 | Physical and environmental protection | Corrective | |
| Include error handling controls in identification issuance procedures. CC ID 13709 | Physical and environmental protection | Preventive | |
| Include information security in the identification issuance procedures. CC ID 15425 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain post-issuance update procedures for identification cards or badges. CC ID 15426 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a door security standard. CC ID 06686 [The outer doors, windows and other construction elements exhibit an appropriate security level and withstand a burglary attempt for at least 10 minutes. PS-03 ¶ 3] | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a window security standard. CC ID 06689 [The outer doors, windows and other construction elements exhibit an appropriate security level and withstand a burglary attempt for at least 10 minutes. PS-03 ¶ 3] | Physical and environmental protection | Preventive | |
| Establish, Implement, and maintain a camera operating policy. CC ID 15456 | Physical and environmental protection | Preventive | |
| Record the date and time of entry in the visitor log. CC ID 13255 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a physical access log. CC ID 12080 [The requirements for the access control system are documented, communicated and provided in a policy or concept in accordance with SP-01 and include the following aspects: Existence and nature of access logging that enables the Cloud Service Provider, in the sense of an effectiveness audit, to check whether only defined personnel have entered the premises and buildings related to the cloud service provided. PS-04 ¶ 3 Bullet 6] | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a facility wall standard. CC ID 06692 [{security requirement} The surrounding wall constructions as well as the locking mechanisms meet the associated requirements. PS-03 ¶ 4] | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a media protection policy. CC ID 14029 | Physical and environmental protection | Preventive | |
| Include compliance requirements in the media protection policy. CC ID 14185 | Physical and environmental protection | Preventive | |
| Include coordination amongst entities in the media protection policy. CC ID 14184 | Physical and environmental protection | Preventive | |
| Include management commitment in the media protection policy. CC ID 14182 | Physical and environmental protection | Preventive | |
| Include roles and responsibilities in the media protection policy. CC ID 14180 | Physical and environmental protection | Preventive | |
| Include the scope in the media protection policy. CC ID 14167 | Physical and environmental protection | Preventive | |
| Include the purpose in the media protection policy. CC ID 14166 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain media protection procedures. CC ID 14062 | Physical and environmental protection | Preventive | |
| Include Information Technology assets in the asset removal policy. CC ID 13162 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain asset removal procedures or asset decommissioning procedures. CC ID 04540 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a mobile device management program. CC ID 15212 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a mobile device management policy. CC ID 15214 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain mobile device activation procedures. CC ID 16999 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain mobile device emergency sanitization procedures. CC ID 16454 | Physical and environmental protection | Preventive | |
| Include usage restrictions for untrusted networks in the mobile device security guidelines. CC ID 17076 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain environmental control procedures. CC ID 12246 [The operating parameters of the technical utilities (cf. PS-06) and the environmental parameters of the premises and buildings related to the cloud service provided are monitored and controlled in accordance with the security requirements of the Cloud Service Provider (cf. PS-01 Security Concept). When the permitted control range is exceeded, the responsible departments of the Cloud-Provider are automatically informed in order to promptly initiate the necessary measures for return to the control range. PS-07 ¶ 1] | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain facility maintenance procedures. CC ID 00710 | Physical and environmental protection | Preventive | |
| Define selection criteria for facility locations. CC ID 06351 [The cloud service is provided from two locations that are redundant to each other. The locations meet the security requirements of the Cloud Service Provider (cf. PS-01 Security Concept) and are located in an adequate distance to each other to achieve operational redundancy. Operational redundancy is designed in a way that ensures that the availability requirements specified in the service level agreement are met. The functionality of the redundancy is checked at least annually by suitable tests and exercises (cf. BCM-04 – Verification, updating and testing of business continuity). PS-02 ¶ 1 {physical security measure} {be the same} The Cloud Service Provider transfers data to be backed up to a remote location or transports these on backup media to a remote location. If the data backup is transmitted to the remote location via a network, the data backup or the transmission of the data takes place in an encrypted form that corresponds to the state-of-the-art. The distance to the main site is chosen after sufficient consideration of the factors recovery times and impact of disasters on both sites. The physical and environmental security measures at the remote site are at the same level as at the main site. OPS-09 ¶ 1] | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a fire prevention and fire suppression standard. CC ID 06695 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a business continuity program. CC ID 13210 [Based on the business impact analysis, a single framework for operational continuity and business plan planning will be implemented, documented and enforced to ensure that all plans are consistent. Planning is based on established standards, which are documented in a "Statement of Applicability". BCM-03 ¶ 1] | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain a business continuity policy. CC ID 12405 | Operational and Systems Continuity | Preventive | |
| Include compliance requirements in the business continuity policy. CC ID 14237 [The top management (or a member of the top management) of the Cloud Service Provider is named as the process owner of business continuity and emergency management and is responsible for establishing the process within the company as well as ensuring compliance with the guidelines. They must ensure that sufficient resources are made available for an effective process. BCM-01 ¶ 1] | Operational and Systems Continuity | Preventive | |
| Include coordination amongst entities in the business continuity policy. CC ID 14235 | Operational and Systems Continuity | Preventive | |
| Include management commitment in the business continuity policy. CC ID 14233 [People in management and other relevant leadership positions demonstrate leadership and commitment to this issue by encouraging employees to actively contribute to the effectiveness of continuity and emergency management. BCM-01 ¶ 2] | Operational and Systems Continuity | Preventive | |
| Include the scope in the business continuity policy. CC ID 14231 | Operational and Systems Continuity | Preventive | |
| Include roles and responsibilities in the business continuity policy. CC ID 14190 | Operational and Systems Continuity | Preventive | |
| Include the purpose in the business continuity policy. CC ID 14188 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain a business continuity testing policy. CC ID 13235 | Operational and Systems Continuity | Preventive | |
| Include testing cycles and test scope in the business continuity testing policy. CC ID 13236 | Operational and Systems Continuity | Preventive | |
| Include documentation requirements in the business continuity testing policy. CC ID 14377 | Operational and Systems Continuity | Preventive | |
| Include reporting requirements in the business continuity testing policy. CC ID 14397 | Operational and Systems Continuity | Preventive | |
| Include test requirements for crisis management in the business continuity testing policy. CC ID 13240 | Operational and Systems Continuity | Preventive | |
| Include test requirements for support functions in the business continuity testing policy. CC ID 13239 | Operational and Systems Continuity | Preventive | |
| Include test requirements for business lines, as necessary, in the business continuity testing policy. CC ID 13238 | Operational and Systems Continuity | Preventive | |
| Include test requirements for the business continuity function in the business continuity testing policy. CC ID 13237 | Operational and Systems Continuity | Preventive | |
| Address all documentation requirements of the Business Continuity Plan testing program in the business continuity testing strategy. CC ID 13257 | Operational and Systems Continuity | Preventive | |
| Include data recovery in the business continuity testing strategy. CC ID 13262 | Operational and Systems Continuity | Preventive | |
| Include testing critical applications in the business continuity testing strategy. CC ID 13261 | Operational and Systems Continuity | Preventive | |
| Include reconciling transaction data in the business continuity testing strategy. CC ID 13260 | Operational and Systems Continuity | Preventive | |
| Include addressing telecommunications circuit diversity in the business continuity testing strategy. CC ID 13252 | Operational and Systems Continuity | Preventive | |
| Establish and maintain the scope of the continuity framework. CC ID 11908 [{take into account} Business continuity plans and contingency plans take the following aspects into account: Defined purpose and scope with consideration of the relevant dependencies; BCM-03 ¶ 2 Bullet 1] | Operational and Systems Continuity | Preventive | |
| Include network security in the scope of the continuity framework. CC ID 16327 | Operational and Systems Continuity | Preventive | |
| Include business functions in the scope of the continuity framework. CC ID 12699 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain a shelter in place plan. CC ID 16260 | Operational and Systems Continuity | Preventive | |
| Designate safe rooms in the shelter in place plan. CC ID 16276 | Operational and Systems Continuity | Preventive | |
| Define the executive vision of the continuity planning process. CC ID 01243 [Based on the business impact analysis, a single framework for operational continuity and business plan planning will be implemented, documented and enforced to ensure that all plans are consistent. Planning is based on established standards, which are documented in a "Statement of Applicability". BCM-03 ¶ 1] | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain a continuity plan. CC ID 00752 [{take into account} {come into effect} Business continuity plans and contingency plans take the following aspects into account: Methods for putting the plans into effect; BCM-03 ¶ 2 Bullet 6 {take into account} Business continuity plans and contingency plans take the following aspects into account: Continuous process improvement; and BCM-03 ¶ 2 Bullet 7 {take into account} {manual mechanism} Business continuity plans and contingency plans take the following aspects into account: Recovery procedures, manual interim solutions and reference information (taking into account prioritisation in the recovery of cloud infrastructure components and services and alignment with customers); BCM-03 ¶ 2 Bullet 5 The business impact analysis, business continuity plans and contingency plans are reviewed, updated and tested on a regular basis (at least annually) or after significant organisational or environmental changes. Tests involve affected customers (tenants) and relevant third parties. The tests are documented and results are taken into account for future operational continuity measures. BCM-04 ¶ 1] | Operational and Systems Continuity | Preventive | |
| Identify all stakeholders in the continuity plan. CC ID 13256 | Operational and Systems Continuity | Preventive | |
| Include a business continuity testing policy in the continuity plan, as necessary. CC ID 13234 | Operational and Systems Continuity | Preventive | |
| Allocate financial resources to implement the continuity plan, as necessary. CC ID 12993 [Policies and instructions to determine the impact of any malfunction to the cloud service or enterprise are documented, communicated and made available in accordance with SP-01. The following aspects are considered as minimum: Estimation of the resources needed for resumption. BCM-02 ¶ 1 Bullet 10 The top management (or a member of the top management) of the Cloud Service Provider is named as the process owner of business continuity and emergency management and is responsible for establishing the process within the company as well as ensuring compliance with the guidelines. They must ensure that sufficient resources are made available for an effective process. BCM-01 ¶ 1] | Operational and Systems Continuity | Preventive | |
| Include identification procedures in the continuity plan, as necessary. CC ID 14372 | Operational and Systems Continuity | Preventive | |
| Include roles and responsibilities in the continuity plan, as necessary. CC ID 13254 [{take into account} Business continuity plans and contingency plans take the following aspects into account: Defined communication channels, roles and responsibilities including notification of the customer; BCM-03 ¶ 2 Bullet 4] | Operational and Systems Continuity | Preventive | |
| Coordinate and incorporate supply chain members' continuity plans, as necessary. CC ID 13242 | Operational and Systems Continuity | Preventive | |
| Include incident management procedures in the continuity plan. CC ID 13244 | Operational and Systems Continuity | Preventive | |
| Include the use of virtual meeting tools in the continuity plan. CC ID 14390 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain the continuity procedures. CC ID 14236 [Plan, implement, maintain and test procedures and measures for business continuity and emergency management. Section 5.14 Objective The top management (or a member of the top management) of the Cloud Service Provider is named as the process owner of business continuity and emergency management and is responsible for establishing the process within the company as well as ensuring compliance with the guidelines. They must ensure that sufficient resources are made available for an effective process. BCM-01 ¶ 1 {take into account} {manual mechanism} Business continuity plans and contingency plans take the following aspects into account: Recovery procedures, manual interim solutions and reference information (taking into account prioritisation in the recovery of cloud infrastructure components and services and alignment with customers); BCM-03 ¶ 2 Bullet 5] | Operational and Systems Continuity | Corrective | |
| Document the uninterrupted power requirements for all in scope systems. CC ID 06707 [{power supply facility} {emergency power solution} Measures to prevent the failure of the technical supply facilities required for the operation of system components with which information from cloud customers is processed, are documented and set up in accordance with the security requirements of the Cloud Service Provider (cf. PS-01 Security Concept) with respect to the following aspects: Use of appropriately sized uninterruptible power supplies (UPS) and emergency power systems (NEA), designed to ensure that all data remains undamaged in the event of a power failure. The functionality of UPS and NEA is checked at least annually by suitable tests and exercises (cf. BCM-04 – Verification, updating and testing of business continuity). PS-06 ¶ 1(b)] | Operational and Systems Continuity | Preventive | |
| Include notifications to alternate facilities in the continuity plan. CC ID 13220 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain a recovery plan. CC ID 13288 | Operational and Systems Continuity | Preventive | |
| Include procedures to restore system interconnections in the recovery plan. CC ID 17100 | Operational and Systems Continuity | Preventive | |
| Include procedures to restore network connectivity in the recovery plan. CC ID 16250 | Operational and Systems Continuity | Preventive | |
| Include addressing backup failures in the recovery plan. CC ID 13298 | Operational and Systems Continuity | Preventive | |
| Include voltage and frequency requirements in the recovery plan. CC ID 17098 | Operational and Systems Continuity | Preventive | |
| Include procedures to verify completion of the data backup procedure in the recovery plan. CC ID 13297 | Operational and Systems Continuity | Preventive | |
| Include the procedures for the storage of information necessary to recover functionality in the recovery plan. CC ID 13295 | Operational and Systems Continuity | Preventive | |
| Include the backup procedures for information necessary to recover functionality in the recovery plan. CC ID 13294 | Operational and Systems Continuity | Preventive | |
| Include the criteria for activation in the recovery plan. CC ID 13293 [The Cloud Service Provider provides subject matter experts of the cloud customers with comprehensible and transparent information on the following recovery parameters of the cloud service, if required: Recovery time to start emergency operation BC-03 ¶ 1 Bullet 3] | Operational and Systems Continuity | Preventive | |
| Include escalation procedures in the recovery plan. CC ID 16248 | Operational and Systems Continuity | Preventive | |
| Include procedures to preserve data before beginning the recovery process in the recovery plan. CC ID 13292 | Operational and Systems Continuity | Preventive | |
| Document lessons learned from testing the recovery plan or an actual event. CC ID 13301 [Policies and instructions for data backup and recovery are documented, communicated and provided in accordance with SP-01 regarding the following aspects. Tests of recovery procedures (cf. OPS-08). OPS-06 ¶ 1 Bullet 4] | Operational and Systems Continuity | Detective | |
| Include the recovery plan in the continuity plan. CC ID 01377 [{take into account} {manual mechanism} Business continuity plans and contingency plans take the following aspects into account: Recovery procedures, manual interim solutions and reference information (taking into account prioritisation in the recovery of cloud infrastructure components and services and alignment with customers); BCM-03 ¶ 2 Bullet 5] | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain organizational facility continuity plans. CC ID 02224 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain system continuity plan strategies. CC ID 00735 [Prevent unauthorised physical access and protect against theft, damage, loss and outage of operations. Section 5.5 Objective] | Operational and Systems Continuity | Preventive | |
| Include emergency operating procedures in the continuity plan. CC ID 11694 | Operational and Systems Continuity | Preventive | |
| Include load-shedding in the emergency operating procedures. CC ID 17133 | Operational and Systems Continuity | Preventive | |
| Include redispatch of generation requests in the emergency operating procedures. CC ID 17132 | Operational and Systems Continuity | Preventive | |
| Include transmission system reconfiguration in the emergency operating procedures. CC ID 17130 | Operational and Systems Continuity | Preventive | |
| Include outages in the emergency operating procedures. CC ID 17129 [{exceptional circumstance} {maximum tolerable downtime} The security requirements include time constraints for self-sufficient operation in the event of exceptional events (e.g. prolonged power outage, heat waves, low water in cold river water supply) and maximum tolerable utility downtime. PS-01 ¶ 5] | Operational and Systems Continuity | Preventive | |
| Include energy resource management in the emergency operating procedures. CC ID 17128 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain Recovery Time Objectives for all in scope systems. CC ID 11688 [Internal audits are supplemented by procedures to automatically monitor applicable requirements of policies and instructions with regard to the following aspects: Recovery time (time to completion of error handling); COM-03 ¶ 3 Bullet 4] | Operational and Systems Continuity | Preventive | |
| Include the capacity of critical resources in the critical resource list. CC ID 17099 | Operational and Systems Continuity | Preventive | |
| Include website continuity procedures in the continuity plan. CC ID 01380 | Operational and Systems Continuity | Preventive | |
| Include technical preparation considerations for backup operations in the continuity plan. CC ID 01250 | Operational and Systems Continuity | Preventive | |
| Include a backup rotation scheme in the backup policy. CC ID 16219 | Operational and Systems Continuity | Preventive | |
| Include naming conventions in the backup policy. CC ID 16218 | Operational and Systems Continuity | Preventive | |
| Include emergency communications procedures in the continuity plan. CC ID 00750 [{take into account} Business continuity plans and contingency plans take the following aspects into account: Defined communication channels, roles and responsibilities including notification of the customer; BCM-03 ¶ 2 Bullet 4] | Operational and Systems Continuity | Preventive | |
| Determine the adequacy of errors and omissions insurance in the organization's insurance policy. CC ID 13281 | Operational and Systems Continuity | Detective | |
| Determine the adequacy of insurance coverage for items in transit in the organization's insurance policy. CC ID 13283 | Operational and Systems Continuity | Detective | |
| Determine the adequacy of insurance coverage for employee fidelity in the organization's insurance policy. CC ID 13282 | Operational and Systems Continuity | Detective | |
| Determine the adequacy of insurance coverage for assets in the organization's insurance policy. CC ID 14827 | Operational and Systems Continuity | Preventive | |
| Determine the adequacy of insurance coverage for Information Technology assets in the organization's insurance policy. CC ID 13279 | Operational and Systems Continuity | Preventive | |
| Determine the adequacy of insurance coverage for facilities in the organization's insurance policy. CC ID 13280 | Operational and Systems Continuity | Preventive | |
| Determine the adequacy of insurance coverage for printed records in the organization's insurance policy. CC ID 13278 | Operational and Systems Continuity | Preventive | |
| Determine the adequacy of media reconstruction in the organization's insurance policy. CC ID 13277 | Operational and Systems Continuity | Detective | |
| Disseminate and communicate the continuity plan to interested personnel and affected parties. CC ID 00760 [{take into account} Business continuity plans and contingency plans take the following aspects into account: Accessibility and comprehensibility of the plans for persons who are to act accordingly; BCM-03 ¶ 2 Bullet 2] | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain Service Level Agreements for all alternate facilities. CC ID 00745 [If the Cloud Service Provider uses premises or buildings operated by third parties to provide the Cloud Service, the document describes which security requirements the Cloud Service Provider places on these third parties. PS-01 ¶ 3] | Operational and Systems Continuity | Preventive | |
| Include alert processes in Service Level Agreements for alternate facilities. CC ID 17127 | Operational and Systems Continuity | Preventive | |
| Include monitoring and logging processes in Service Level Agreements for alternate facilities. CC ID 17126 | Operational and Systems Continuity | Preventive | |
| Include recovery time in Service Level Agreements for all alternate facilities. CC ID 16331 | Operational and Systems Continuity | Preventive | |
| Include priority-of-service provisions in Service Level Agreements for all alternate facilities. CC ID 16330 | Operational and Systems Continuity | Preventive | |
| Include backup media transportation in Service Level Agreements for alternate facilities. CC ID 16329 | Operational and Systems Continuity | Preventive | |
| Include transportation services in Service Level Agreements for alternate facilities. CC ID 16328 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain a continuity test plan. CC ID 04896 | Operational and Systems Continuity | Preventive | |
| Include recovery procedures in the continuity test plan. CC ID 14876 [At the customer's request, the Cloud Service Provider inform the cloud customer of the results of the recovery tests. Recovery tests are embedded in the Cloud Service Provider's emergency management. OPS-08 ¶ 3] | Operational and Systems Continuity | Preventive | |
| Assign the roles and responsibilities for the asset management system. CC ID 14368 | Human Resources management | Preventive | |
| Establish, implement, and maintain a personnel management program. CC ID 14018 | Human Resources management | Preventive | |
| Establish, implement, and maintain onboarding procedures for new hires. CC ID 11760 | Human Resources management | Preventive | |
| Require all new hires to sign Acceptable Use Policies. CC ID 06662 [The Cloud Service Provider's internal and external employees are provably committed to the policies and instructions for acceptable use and safe handling of assets before they can be used if the Cloud Service Provider has determined in a risk assessment that loss or unauthorised access could compromise the information security of the Cloud Service. AM-05 ¶ 1] | Human Resources management | Preventive | |
| Establish, implement, and maintain a personnel security program. CC ID 10628 | Human Resources management | Preventive | |
| Establish, implement, and maintain personnel screening procedures. CC ID 11700 | Human Resources management | Preventive | |
| Perform a criminal records check during personnel screening. CC ID 06643 [{competency} {integrity} To the extent permitted by law, the review will cover the following areas: Request of a police clearance certificate for applicants; HR-01 ¶ 2 Bullet 4] | Human Resources management | Preventive | |
| Document any reasons a full criminal records check could not be performed. CC ID 13305 | Human Resources management | Preventive | |
| Perform an academic records check during personnel screening. CC ID 06647 [{competency} {integrity} To the extent permitted by law, the review will cover the following areas: Verification of academic titles and degrees; HR-01 ¶ 2 Bullet 3] | Human Resources management | Preventive | |
| Establish, implement, and maintain personnel status change and termination procedures. CC ID 06549 [Ensure that employees understand their responsibilities, are aware of their responsibilities with regard to information security, and that the organisation's assets are protected in the event of changes in responsibilities or termination. Section 5.3 Objective] | Human Resources management | Preventive | |
| Include evidence of experience in applications for professional certification. CC ID 16193 | Human Resources management | Preventive | |
| Include supporting documentation in applications for professional certification. CC ID 16195 | Human Resources management | Preventive | |
| Establish, implement, and maintain training plans. CC ID 00828 | Human Resources management | Preventive | |
| Include portions of the visitor control program in the training plan. CC ID 13287 | Human Resources management | Preventive | |
| Establish, implement, and maintain a security awareness program. CC ID 11746 [{security awareness and training program} {quantitative factor} {qualitative factor} The learning outcomes achieved through the awareness and training programme are measured and evaluated in a target group-oriented manner. The measurements cover quantitative and qualitative aspects. The results are used to improve the awareness and training programme. HR-03 ¶ 2 The Cloud Service Provider operates a target group-oriented security awareness and training program, which is completed by all internal and external employees of the Cloud Service Provider on a regular basis. The program is regularly updated based on changes to policies and instructions and the current threat situation and includes the following aspects: HR-03 ¶ 1 The Cloud Service Provider provides a training program for regular, target group-oriented security training and awareness for internal and external employees on standards and methods of secure software development and provision as well as on how to use the tools used for this purpose. The program is regularly reviewed and updated with regard to the applicable policies and instructions, the assigned roles and responsibilities and the tools used. DEV-04 ¶ 1 Policies and instructions for controlling and monitoring third parties (e.g. service providers or suppliers) whose services contribute to the provision of the cloud service are documented, communicated and provided in accordance with SP-01 with respect to the following aspects: Information security awareness and training requirements for staff; SSO-01 ¶ 1 Bullet 4] | Human Resources management | Preventive | |
| Establish, implement, and maintain a security awareness and training policy. CC ID 14022 | Human Resources management | Preventive | |
| Include compliance requirements in the security awareness and training policy. CC ID 14092 | Human Resources management | Preventive | |
| Include coordination amongst entities in the security awareness and training policy. CC ID 14091 | Human Resources management | Preventive | |
| Establish, implement, and maintain security awareness and training procedures. CC ID 14054 | Human Resources management | Preventive | |
| Include management commitment in the security awareness and training policy. CC ID 14049 | Human Resources management | Preventive | |
| Include roles and responsibilities in the security awareness and training policy. CC ID 14048 [The Cloud Service Provider provides a training program for regular, target group-oriented security training and awareness for internal and external employees on standards and methods of secure software development and provision as well as on how to use the tools used for this purpose. The program is regularly reviewed and updated with regard to the applicable policies and instructions, the assigned roles and responsibilities and the tools used. DEV-04 ¶ 1] | Human Resources management | Preventive | |
| Include the scope in the security awareness and training policy. CC ID 14047 [The Cloud Service Provider provides a training program for regular, target group-oriented security training and awareness for internal and external employees on standards and methods of secure software development and provision as well as on how to use the tools used for this purpose. The program is regularly reviewed and updated with regard to the applicable policies and instructions, the assigned roles and responsibilities and the tools used. DEV-04 ¶ 1] | Human Resources management | Preventive | |
| Include the purpose in the security awareness and training policy. CC ID 14045 | Human Resources management | Preventive | |
| Include configuration management procedures in the security awareness program. CC ID 13967 | Human Resources management | Preventive | |
| Document security awareness requirements. CC ID 12146 | Human Resources management | Preventive | |
| Include a requirement to train all new hires and interested personnel in the security awareness program. CC ID 11800 | Human Resources management | Preventive | |
| Include remote access in the security awareness program. CC ID 13892 | Human Resources management | Preventive | |
| Document the goals of the security awareness program. CC ID 12145 | Human Resources management | Preventive | |
| Compare current security awareness assessment reports to the security awareness baseline. CC ID 12150 [{security awareness and training program} {quantitative factor} {qualitative factor} The learning outcomes achieved through the awareness and training programme are measured and evaluated in a target group-oriented manner. The measurements cover quantitative and qualitative aspects. The results are used to improve the awareness and training programme. HR-03 ¶ 2] | Human Resources management | Preventive | |
| Document the scope of the security awareness program. CC ID 12148 | Human Resources management | Preventive | |
| Establish, implement, and maintain a security awareness baseline. CC ID 12147 | Human Resources management | Preventive | |
| Require personnel to acknowledge, through writing their signature, that they have read and understand the organization's security policies. CC ID 01363 [The information security policy, and the policies and instructions based on it, are to be acknowledged by the internal and external personnel in a documented form before access is granted to any cloud customer data or system components under the responsibility of the Cloud Service Provider used to provide the cloud service in the production environment. HR-02 ¶ 2 Ensure that employees understand their responsibilities, are aware of their responsibilities with regard to information security, and that the organisation's assets are protected in the event of changes in responsibilities or termination. Section 5.3 Objective] | Human Resources management | Preventive | |
| Establish, implement, and maintain an environmental management system awareness program. CC ID 15200 | Human Resources management | Preventive | |
| Establish, implement, and maintain a conflict of interest policy. CC ID 14785 [The Cloud Service Provider executes the process for handling risks as needed or at least once a year. The following aspects are taken into account when identifying risks, insofar as they are applicable to the cloud service provided and are within the area of responsibility of the Cloud Service Provider: Conflicting tasks and areas of responsibility that cannot be separated for organisational or technical reasons; and OIS-07 ¶ 1 Bullet 4] | Human Resources management | Preventive | |
| Include definitions of conflicts of interest in the conflict of interest policy. CC ID 14792 | Human Resources management | Preventive | |
| Include roles and responsibilities in the conflict of interest policy. CC ID 14790 | Human Resources management | Preventive | |
| Establish, implement, and maintain a capacity management plan. CC ID 11751 | Operational management | Preventive | |
| Establish, implement, and maintain a capacity planning baseline. CC ID 13492 [The planning of capacities and resources (personnel and IT resources) follows an established procedure in order to avoid possible capacity bottlenecks. The procedures include forecasting future capacity requirements in order to identify usage trends and manage system overload. OPS-01 ¶ 1] | Operational management | Preventive | |
| Establish, implement, and maintain cloud service agreements. CC ID 13157 [In the system description and the contractual agreements (e.g. service description), the Cloud Service Provider clearly provides comprehensible and transparent information on: Its jurisdiction; and BC-01 ¶ 1 Bullet 1 In the system description and the contractual agreements (e.g. service description), the Cloud Service Provider clearly provides comprehensible and transparent information on: System component locations, including its subcontractors, where the cloud customer's data is processed, stored and backed up. BC-01 ¶ 1 Bullet 2 {technical safeguard} Technical and organisational safeguards for the monitoring and provisioning and de-provisioning of cloud services are defined. Thus, the Cloud Service Provider ensures that resources are provided and/or services are rendered according to the contractual agreements and that compliance with the service level agreements is ensured. OPS-02 ¶ 1 Policies and instructions for the secure handling of metadata (usage data) are documented, communicated and provided according to SP-01 with regard to the following aspects: Provision to cloud customers according to contractual agreements. OPS-11 ¶ 1 Bullet 6 {provision} {data} The design of the aspects is based on legal and regulatory requirements in the environment of the Cloud Service Provider. The Cloud Service Provider identifies the requirements regularly, at least once a year, and checks these for actuality and adjusts the contractual agreements accordingly. PI-02 ¶ 3 The Cloud Service Provider's procedures for deleting the cloud customers' data upon termination of the contractual relationship ensure compliance with the contractual agreements (cf. PI-02). PI-03 ¶ 1 The Cloud Service Provider has established procedures and technical safeguards to encrypt cloud customers' data during storage. The private keys used for encryption are known only to the cloud customer in accordance with applicable legal and regulatory obligations and requirements. Exceptions follow a specified procedure. The procedures for the use of private keys, including any exceptions, must be contractually agreed with the cloud customer. CRY-03 ¶ 1 Policies and instructions for controlling and monitoring third parties (e.g. service providers or suppliers) whose services contribute to the provision of the cloud service are documented, communicated and provided in accordance with SP-01 with respect to the following aspects: Specifications for the contractual agreement of these requirements; SSO-01 ¶ 1 Bullet 7 In contractual agreements, the following aspects are defined with regard to the termination of the contractual relationship, insofar as these are applicable to the cloud service: Type, scope and format of the data the Cloud Service Provider provides to the cloud customer; PI-02 ¶ 1 Bullet 1 {make available} In contractual agreements, the following aspects are defined with regard to the termination of the contractual relationship, insofar as these are applicable to the cloud service: Definition of the timeframe, within which the Cloud Service Provider makes the data available to the cloud customer; PI-02 ¶ 1 Bullet 2 {make inaccessible} In contractual agreements, the following aspects are defined with regard to the termination of the contractual relationship, insofar as these are applicable to the cloud service: Definition of the point in time as of which the Cloud Service Provider makes the data inaccessible to the cloud customer and deletes these; and PI-02 ¶ 1 Bullet 3] | Operational management | Preventive | |
| Include data sovereignty requirements in cloud service agreements. CC ID 16931 [{provision} {data} The design of the aspects is based on legal and regulatory requirements in the environment of the Cloud Service Provider. The Cloud Service Provider identifies the requirements regularly, at least once a year, and checks these for actuality and adjusts the contractual agreements accordingly. PI-02 ¶ 3] | Operational management | Preventive | |
| Include the asset removal policy in the cloud service agreement. CC ID 13161 | Operational management | Preventive | |
| Include cloud security requirements in the cloud management procedures. CC ID 16366 [Provide policies and instructions regarding security requirements and to support business requirements. Section 5.2 Objective {information security policy} {legal and regulatory requirements} The review shall consider at least the following aspects: Legal and regulatory changes in the Cloud Service Provider's environment. SP-02 ¶ 2 Bullet 2 {technical safeguard} Technical and organisational safeguards for the monitoring and provisioning and de-provisioning of cloud services are defined. Thus, the Cloud Service Provider ensures that resources are provided and/or services are rendered according to the contractual agreements and that compliance with the service level agreements is ensured. OPS-02 ¶ 1 The Cloud Service Provider creates regular reports on the checks performed, which are reviewed and analysed by authorised bodies or committees. Policies and instructions describe the technical measures taken to securely configure and monitor the management console (both the customer's self-service and the service provider's cloud administration) to protect it from malware. Updates are applied at the highest frequency that the vendor(s) contractually offer(s). OPS-04 ¶ 2 {applicable requirements} The legal, regulatory, self-imposed and contractual requirements relevant to the information security of the cloud service as well as the Cloud Service Provider's procedures for complying with these requirements are explicitly defined and documented. COM-01 ¶ 1] | Operational management | Preventive | |
| Establish, implement, and maintain a cloud service usage standard. CC ID 13143 [{technical safeguard} Technical and organisational safeguards for the monitoring and provisioning and de-provisioning of cloud services are defined. Thus, the Cloud Service Provider ensures that resources are provided and/or services are rendered according to the contractual agreements and that compliance with the service level agreements is ensured. OPS-02 ¶ 1 The Cloud Service Provider provides cloud customers with guidelines and recommendations for the secure use of the cloud service provided. The information contained therein is intended to assist the cloud customer in the secure configuration, installation and use of the cloud service, to the extent applicable to the cloud service and the responsibility of the cloud user. PSS-01 ¶ 1 {secure use} The information is maintained so that it is applicable to the cloud service provided in the version intended for productive use. PSS-01 ¶ 3] | Operational management | Preventive | |
| Include the roles and responsibilities of cloud service users in the cloud service usage standard. CC ID 13984 [In contractual agreements, the following aspects are defined with regard to the termination of the contractual relationship, insofar as these are applicable to the cloud service: The cloud customers' responsibilities and obligations to cooperate for the provision of the data. PI-02 ¶ 1 Bullet 4 Policies and instructions with technical and organisational safeguards for change management of system components of the cloud service within the scope of software deployment are documented, communicated and provided according to SP-01 with regard to the following aspects: Requirements for the proper information of cloud customers about the type and scope of the change as well as the resulting obligations to cooperate in accordance with the contractual agreements; DEV-03 ¶ 1 Bullet 4 The type and scope of the information provided will be based on the needs of subject matter experts of the cloud customers who set information security requirements, implement them or verify the implementation (e.g. IT, Compliance, Internal Audit). The information in the guidelines and recommendations for the secure use of the cloud service address the following aspects, where applicable to the cloud service: Services and functions for administration of the cloud service by privileged users. PSS-01 ¶ 2 Bullet 6] | Operational management | Preventive | |
| Include information security requirements in the cloud service usage standard. CC ID 13148 [{access roles} {access rights} The type and scope of the information provided will be based on the needs of subject matter experts of the cloud customers who set information security requirements, implement them or verify the implementation (e.g. IT, Compliance, Internal Audit). The information in the guidelines and recommendations for the secure use of the cloud service address the following aspects, where applicable to the cloud service: Roles and rights concept including combinations that result in an elevated risk; and PSS-01 ¶ 2 Bullet 5] | Operational management | Preventive | |
| Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 | Operational management | Preventive | |
| Establish, implement, and maintain security requirements based on applicable regulations. CC ID 16283 [{security requirements} The policies and instructions describe at least the following aspects: Applicable legal and regulatory requirements. SP-01 ¶ 3 Bullet 6] | Operational management | Preventive | |
| Establish, implement, and maintain an internal control framework. CC ID 00820 | Operational management | Preventive | |
| Include cloud services in the internal control framework. CC ID 17262 [For an attestation engagement, the Cloud Service Provider's service-related system of internal control to meet the C5 criteria shall include the following minimum content in order to provide customers with sufficient transparency about the information security of the cloud service: Name, type and scope of cloud services provided; Section 3.4.4.1 ¶ 1 Bullet 1] | Operational management | Preventive | |
| Include cloud security controls in the internal control framework. CC ID 17264 [For an attestation engagement, the Cloud Service Provider's service-related system of internal control to meet the C5 criteria shall include the following minimum content in order to provide customers with sufficient transparency about the information security of the cloud service: Name, type and scope of cloud services provided; Section 3.4.4.1 ¶ 1 Bullet 1 For an attestation engagement, the Cloud Service Provider's service-related system of internal control to meet the C5 criteria shall include the following minimum content in order to provide customers with sufficient transparency about the information security of the cloud service: Name, type and scope of cloud services provided; Section 3.4.4.1 ¶ 1 Bullet 1] | Operational management | Preventive | |
| Authorize and document all exceptions to the internal control framework. CC ID 06781 [For an attestation engagement, the Cloud Service Provider's service-related system of internal control to meet the C5 criteria shall include the following minimum content in order to provide customers with sufficient transparency about the information security of the cloud service: Dealing with significant events and conditions that represent exceptions to normal operation, such as security incidents or the failure of system components; Section 3.4.4.1 ¶ 1 Bullet 6] | Operational management | Preventive | |
| Establish, implement, and maintain an information security program. CC ID 00812 [Plan, implement, maintain and continuously improve the information security framework within the organisation Section 5.1 Objective The measures for setting up, implementing, maintaining and continuously improving the ISMS are documented. The documentation includes: OIS-01 ¶ 2 The Cloud Service Provider operates an information security management system (ISMS) in accordance with ISO/IEC 27001. The scope of the ISMS covers the Cloud Service Provider's organisational units, locations and procedures for providing the cloud service. OIS-01 ¶ 1] | Operational management | Preventive | |
| Include communication management in the information security program. CC ID 12384 [Specific security requirements are designed, published and provided for establishing connections within the Cloud Service Provider's network. The security requirements define for the Cloud Service Provider's area of responsibility: which internal, cross-location communication is permitted; and COS-02 ¶ 1 Bullet 4 {security-related information} The information is detailed enough to allow cloud users to check the following aspects, insofar as they are applicable to the cloud service: Changes to security-relevant configuration parameters, error handling and logging mechanisms, user authentication, action authorisation, cryptography, and communication security. PSS-04 ¶ 2 Bullet 3] | Operational management | Preventive | |
| Include a continuous monitoring program in the information security program. CC ID 14323 | Operational management | Preventive | |
| Include change management procedures in the continuous monitoring plan. CC ID 16227 | Operational management | Preventive | |
| include recovery procedures in the continuous monitoring plan. CC ID 16226 [The procedures for monitoring compliance with the requirements are supplemented by automatic procedures relating to the following aspects: Recovery time (time until completion of error handling). SSO-04 ¶ 5 Bullet 4] | Operational management | Preventive | |
| Include mechanisms for decommissioning a system in the continuous monitoring plan. CC ID 16225 | Operational management | Preventive | |
| Include mechanisms for appeal and override in the continuous monitoring plan. CC ID 16223 | Operational management | Preventive | |
| Include how the information security department is organized in the information security program. CC ID 12379 [{information security policy} The policy describes: the organisational structure for information security in the ISMS application area. OIS-02 ¶ 2 Bullet 4] | Operational management | Preventive | |
| Include mitigating supply chain risks in the information security program. CC ID 13352 | Operational management | Preventive | |
| Establish, implement, and maintain an information security policy. CC ID 11740 [The top management of the Cloud Service Provider has adopted an information security policy and communicated it to internal and external employees as well as cloud customers. OIS-02 ¶ 1 Policies and instructions (incl. concepts and guidelines) are derived from the information security policy and are documented according to a uniform structure. They are communicated and made available to all internal and external employees of the Cloud Service Provider in an appropriate manner. SP-01 ¶ 1 Information security policies and instructions are reviewed at least annually for adequacy by the Cloud Service Provider's subject matter experts. SP-02 ¶ 1] | Operational management | Preventive | |
| Include data localization requirements in the information security policy. CC ID 16932 | Operational management | Preventive | |
| Include business processes in the information security policy. CC ID 16326 [Policies and instructions (incl. concepts and guidelines) are derived from the information security policy and are documented according to a uniform structure. They are communicated and made available to all internal and external employees of the Cloud Service Provider in an appropriate manner. SP-01 ¶ 1] | Operational management | Preventive | |
| Include the information security strategy in the information security policy. CC ID 16125 [{security requirements} The policies and instructions describe at least the following aspects: Steps for the execution of the security strategy; and SP-01 ¶ 3 Bullet 5 {information security policy} The policy describes: the most important aspects of the security strategy to achieve the security objectives set; and OIS-02 ¶ 2 Bullet 3] | Operational management | Preventive | |
| Include a commitment to continuous improvement in the information security policy. CC ID 16123 | Operational management | Preventive | |
| Include roles and responsibilities in the information security policy. CC ID 16120 [{security requirements} The policies and instructions describe at least the following aspects: Roles and responsibilities, including staff qualification requirements and the establishment of substitution rules; SP-01 ¶ 3 Bullet 3] | Operational management | Preventive | |
| Include a commitment to the information security requirements in the information security policy. CC ID 13496 [{information security policy} The policy describes: the importance of information security, based on the requirements of cloud customers in relation to information security; OIS-02 ¶ 2 Bullet 1] | Operational management | Preventive | |
| Include information security objectives in the information security policy. CC ID 13493 [{security requirements} The policies and instructions describe at least the following aspects: Objectives; SP-01 ¶ 3 Bullet 1 {information security policy} The policy describes: the security objectives and the desired security level, based on the business goals and tasks of the Cloud Service Provider; OIS-02 ¶ 2 Bullet 2] | Operational management | Preventive | |
| Include notification procedures in the information security policy. CC ID 16842 | Operational management | Preventive | |
| Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304 [{security requirements} The policies and instructions describe at least the following aspects: Roles and dependencies on other organisations (especially cloud customers and subservice organisations); SP-01 ¶ 3 Bullet 4] | Operational management | Preventive | |
| Establish, implement, and maintain operational control procedures. CC ID 00831 [Ensure proper and regular operation, including appropriate measures for planning and monitoring capacity, protection against malware, logging and monitoring events, and dealing with vulnerabilities, malfunctions and failures. Section 5.6 Objective] | Operational management | Preventive | |
| Define the nomenclature requirements in the operating instructions. CC ID 17112 | Operational management | Preventive | |
| Define the situations that require time information in the operating instructions. CC ID 17111 | Operational management | Preventive | |
| Include congestion management actions in the operational control procedures. CC ID 17135 | Operational management | Preventive | |
| Update the congestion management actions in a timely manner. CC ID 17145 | Operational management | Preventive | |
| Include actions to mitigate system operating limit exceedances in the operational control procedures. CC ID 17146 | Operational management | Preventive | |
| Include continuous monitoring in the operational control procedures. CC ID 17137 | Operational management | Preventive | |
| Write operating instructions in the English language, unless agreement exists to use another language. CC ID 17109 | Operational management | Preventive | |
| Include coordination amongst entities in the operational control procedures. CC ID 17147 | Operational management | Preventive | |
| Include roles and responsibilities in the operational control procedures. CC ID 17159 | Operational management | Preventive | |
| Include alternative actions in the operational control procedures. CC ID 17096 | Operational management | Preventive | |
| Include change control processes in the operational control procedures. CC ID 16793 | Operational management | Preventive | |
| Include system use information in the standard operating procedures manual. CC ID 17240 | Operational management | Preventive | |
| Include metrics in the standard operating procedures manual. CC ID 14988 | Operational management | Preventive | |
| Include maintenance measures in the standard operating procedures manual. CC ID 14986 | Operational management | Preventive | |
| Include logging procedures in the standard operating procedures manual. CC ID 17214 | Operational management | Preventive | |
| Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984 | Operational management | Preventive | |
| Include resources in the standard operating procedures manual. CC ID 17212 | Operational management | Preventive | |
| Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982 | Operational management | Preventive | |
| Include human oversight measures in the standard operating procedures manual. CC ID 17213 | Operational management | Preventive | |
| Include predetermined changes in the standard operating procedures manual. CC ID 14977 | Operational management | Preventive | |
| Include specifications for input data in the standard operating procedures manual. CC ID 14975 | Operational management | Preventive | |
| Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973 | Operational management | Preventive | |
| Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972 | Operational management | Preventive | |
| Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969 | Operational management | Preventive | |
| Include the intended purpose in the standard operating procedures manual. CC ID 14967 | Operational management | Preventive | |
| Include information on system performance in the standard operating procedures manual. CC ID 14965 | Operational management | Preventive | |
| Include contact details in the standard operating procedures manual. CC ID 14962 | Operational management | Preventive | |
| Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350 | Operational management | Preventive | |
| Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. CC ID 01351 [The Cloud Service Provider has an approval process for the use of hardware to be commissioned, which is used to provide the cloud service in the production environment, in which the risks arising from the commissioning are identified, analysed and mitigated. Approval is granted after verification of the secure configuration of the mechanisms for error handling, logging, encryption, authentication and authorisation according to the intended use and based on the applicable policies. AM-03 ¶ 1] | Operational management | Preventive | |
| Include Bring Your Own Device agreements in the Acceptable Use Policy. CC ID 15703 | Operational management | Preventive | |
| Include the obligations of users in the Bring Your Own Device agreement. CC ID 15708 | Operational management | Preventive | |
| Include the rights of the organization in the Bring Your Own Device agreement. CC ID 15707 | Operational management | Preventive | |
| Include the circumstances in which the organization may confiscate, audit, or inspect assets in the Bring Your Own Device agreement. CC ID 15706 | Operational management | Preventive | |
| Include the circumstances in which the organization may manage assets in the Bring Your Own Device agreement. CC ID 15705 | Operational management | Preventive | |
| Include a web usage policy in the Acceptable Use Policy. CC ID 16496 | Operational management | Preventive | |
| Include asset tags in the Acceptable Use Policy. CC ID 01354 [{acceptable use policy} Policies and instructions for acceptable use and safe handling of assets are documented, communicated and provided in accordance with SP-01 and address the following aspects of the asset lifecycle as applicable to the asset: Classification and labelling based on the need for protection of the information and measures for the level of protection identified; AM-02 ¶ 1 Bullet 3 {acceptable use policy} Policies and instructions for acceptable use and safe handling of assets are documented, communicated and provided in accordance with SP-01 and address the following aspects of the asset lifecycle as applicable to the asset: Classification and labelling based on the need for protection of the information and measures for the level of protection identified; AM-02 ¶ 1 Bullet 3] | Operational management | Preventive | |
| Specify the owner of applicable assets in the Acceptable Use Policy. CC ID 15699 | Operational management | Preventive | |
| Include asset use policies in the Acceptable Use Policy. CC ID 01355 [{acceptable use policy} Policies and instructions for acceptable use and safe handling of assets are documented, communicated and provided in accordance with SP-01 and address the following aspects of the asset lifecycle as applicable to the asset: Restriction of software installations or use of services; AM-02 ¶ 1 Bullet 7] | Operational management | Preventive | |
| Include usage restrictions in the Acceptable Use Policy. CC ID 15311 [Personal data is automatically removed from the log data before the Cloud Service Provider processes it as far as technically possible. The removal is done in a way that allows the Cloud Service Provider to continue to use the log data for the purpose for which it was collected. OPS-11 ¶ 2] | Operational management | Preventive | |
| Include a software installation policy in the Acceptable Use Policy. CC ID 06749 [{acceptable use policy} Policies and instructions for acceptable use and safe handling of assets are documented, communicated and provided in accordance with SP-01 and address the following aspects of the asset lifecycle as applicable to the asset: Restriction of software installations or use of services; AM-02 ¶ 1 Bullet 7 {acceptable use policy} Policies and instructions for acceptable use and safe handling of assets are documented, communicated and provided in accordance with SP-01 and address the following aspects of the asset lifecycle as applicable to the asset: Handling of software for which support and security patches are not available anymore; AM-02 ¶ 1 Bullet 6] | Operational management | Preventive | |
| Establish, implement, and maintain a fax machine and multifunction device usage policy. CC ID 16962 | Operational management | Preventive | |
| Include contact lists in the fax machine and multifunction device usage policy. CC ID 16979 | Operational management | Preventive | |
| Include consequences in the fax machine and multifunction device usage policy. CC ID 16957 | Operational management | Preventive | |
| Include roles and responsibilities in the e-mail policy. CC ID 17040 | Operational management | Preventive | |
| Include content requirements in the e-mail policy. CC ID 17041 | Operational management | Preventive | |
| Include the personal use of business e-mail in the e-mail policy. CC ID 17037 | Operational management | Preventive | |
| Include usage restrictions in the e-mail policy. CC ID 17039 | Operational management | Preventive | |
| Include business use of personal e-mail in the e-mail policy. CC ID 14381 | Operational management | Preventive | |
| Include message format requirements in the e-mail policy. CC ID 17038 | Operational management | Preventive | |
| Include the consequences of sending restricted data in the e-mail policy. CC ID 16970 | Operational management | Preventive | |
| Establish, implement, and maintain nondisclosure agreements. CC ID 04536 [{nondisclosure agreement} The requirements must be documented and reviewed at regular intervals (at least annually). If the review shows that the requirements need to be adapted, the non-disclosure or confidentiality agreements are updated. HR-06 ¶ 3 {nondisclosure agreement} The non-disclosure or confidentiality agreements to be agreed with internal employees, external service providers and suppliers of the Cloud Service Provider are based on the requirements identified by the Cloud Service Provider for the protection of confidential information and operational details. HR-06 ¶ 1] | Operational management | Preventive | |
| Require interested personnel and affected parties to sign nondisclosure agreements. CC ID 06667 [The agreements are to be accepted by external service providers and suppliers when the contract is agreed. The agreements must be accepted by internal employees of the Cloud Service Provider before authorisation to access data of cloud customers is granted. HR-06 ¶ 2] | Operational management | Preventive | |
| Comply with all implemented policies in the organization's compliance framework. CC ID 06384 [{information security requirement} Avoid non-compliance with legal, regulatory, self-imposed or contractual information security and compliance requirements. Section 5.15 Objective] | Operational management | Preventive | |
| Include all resources needed to achieve the objectives in the service management program. CC ID 11394 [Exit strategies are aligned with operational continuity plans and include the following aspects: Analysis of the potential costs, impacts, resources and timing of the transition of a purchased service to an alternative service provider or supplier; SSO-05 ¶ 2 Bullet 1] | Operational management | Preventive | |
| Establish, implement, and maintain a network management program. CC ID 13123 [The Cloud Service Provider validates the functionality of the SDN functions before providing new SDN features to cloud users or modifying existing SDN features. Identified defects are assessed and corrected in a risk-oriented manner. PSS-10 ¶ 2] | Operational management | Preventive | |
| Include quality of service requirements in the network management program. CC ID 16429 | Operational management | Preventive | |
| Document the network design in the network management program. CC ID 13135 | Operational management | Preventive | |
| Establish, implement, and maintain network documentation. CC ID 16497 | Operational management | Preventive | |
| Establish, implement, and maintain an asset management policy. CC ID 15219 | Operational management | Preventive | |
| Establish, implement, and maintain asset management procedures. CC ID 16748 | Operational management | Preventive | |
| Include life cycle requirements in the security management program. CC ID 16392 | Operational management | Preventive | |
| Include program objectives in the asset management program. CC ID 14413 | Operational management | Preventive | |
| Include a commitment to continual improvement in the asset management program. CC ID 14412 | Operational management | Preventive | |
| Include compliance with applicable requirements in the asset management program. CC ID 14411 | Operational management | Preventive | |
| Include installation requirements in the asset management program. CC ID 17195 | Operational management | Preventive | |
| Establish, implement, and maintain classification schemes for all systems and assets. CC ID 01902 | Operational management | Preventive | |
| Establish, implement, and maintain the systems' availability level. CC ID 01905 [The cloud provider provides subject matter experts of cloud customers with comprehensible and transparent information on the availability of the data centres used to provide the cloud service (including data centres operated by subcontractors), as needed. The information shows availability and downtime over one year according to industry standard classification schemes. The information enables cloud customers to assess the cloud service as part of their business impact analysis. BC-04 ¶ 1 The procedures for monitoring compliance with the requirements are supplemented by automatic procedures relating to the following aspects: Performance and availability of system components; SSO-04 ¶ 5 Bullet 2 Internal audits are supplemented by procedures to automatically monitor applicable requirements of policies and instructions with regard to the following aspects: Performance and availability of these system components; COM-03 ¶ 3 Bullet 2] | Operational management | Preventive | |
| Establish, implement, and maintain the Asset Classification Policy. CC ID 06642 [{acceptable use policy} Policies and instructions for acceptable use and safe handling of assets are documented, communicated and provided in accordance with SP-01 and address the following aspects of the asset lifecycle as applicable to the asset: Classification and labelling based on the need for protection of the information and measures for the level of protection identified; AM-02 ¶ 1 Bullet 3] | Operational management | Preventive | |
| Establish, implement, and maintain an Information Technology inventory with asset discovery audit trails. CC ID 00689 [{acceptable use policy} Policies and instructions for acceptable use and safe handling of assets are documented, communicated and provided in accordance with SP-01 and address the following aspects of the asset lifecycle as applicable to the asset: Inventory; AM-02 ¶ 1 Bullet 2] | Operational management | Preventive | |
| Include all account types in the Information Technology inventory. CC ID 13311 | Operational management | Preventive | |
| Add inventoried assets to the asset register database, as necessary. CC ID 07051 [Assets are recorded with the information needed to apply the Risk Management Procedure (cf. OIS-07), including the measures taken to manage these risks throughout the asset lifecycle. Changes to this information are logged. AM-01 ¶ 3] | Operational management | Preventive | |
| Record the decommission date for applicable assets in the asset inventory. CC ID 14920 | Operational management | Preventive | |
| Record the Uniform Resource Locator for applicable assets in the asset inventory. CC ID 14918 | Operational management | Preventive | |
| Record the review date for applicable assets in the asset inventory. CC ID 14919 | Operational management | Preventive | |
| Record services for applicable assets in the asset inventory. CC ID 13733 | Operational management | Preventive | |
| Record protocols for applicable assets in the asset inventory. CC ID 13734 | Operational management | Preventive | |
| Record the software version in the asset inventory. CC ID 12196 | Operational management | Preventive | |
| Record the publisher for applicable assets in the asset inventory. CC ID 13725 | Operational management | Preventive | |
| Record the authentication system in the asset inventory. CC ID 13724 | Operational management | Preventive | |
| Tag unsupported assets in the asset inventory. CC ID 13723 | Operational management | Preventive | |
| Record the install date for applicable assets in the asset inventory. CC ID 13720 | Operational management | Preventive | |
| Record the host name of applicable assets in the asset inventory. CC ID 13722 | Operational management | Preventive | |
| Record network ports for applicable assets in the asset inventory. CC ID 13730 | Operational management | Preventive | |
| Record the MAC address for applicable assets in the asset inventory. CC ID 13721 | Operational management | Preventive | |
| Record the firmware version for applicable assets in the asset inventory. CC ID 12195 | Operational management | Preventive | |
| Record all compliance requirements for applicable assets in the asset inventory. CC ID 15696 | Operational management | Preventive | |
| Record all changes to assets in the asset inventory. CC ID 12190 [Assets are recorded with the information needed to apply the Risk Management Procedure (cf. OIS-07), including the measures taken to manage these risks throughout the asset lifecycle. Changes to this information are logged. AM-01 ¶ 3] | Operational management | Preventive | |
| Establish, implement, and maintain digital legacy procedures. CC ID 16524 | Operational management | Preventive | |
| Establish, implement, and maintain a system disposal program. CC ID 14431 | Operational management | Preventive | |
| Establish, implement, and maintain disposal procedures. CC ID 16513 | Operational management | Preventive | |
| Establish, implement, and maintain asset sanitization procedures. CC ID 16511 [The decommissioning includes the complete and permanent deletion of the data or proper destruction of the media. AM-04 ¶ 2] | Operational management | Preventive | |
| Establish, implement, and maintain system destruction procedures. CC ID 16474 | Operational management | Preventive | |
| Establish, implement, and maintain printer and multifunction device disposition procedures. CC ID 15216 | Operational management | Preventive | |
| Establish, implement, and maintain a system preventive maintenance program. CC ID 00885 [{power supply facility} Measures to prevent the failure of the technical supply facilities required for the operation of system components with which information from cloud customers is processed, are documented and set up in accordance with the security requirements of the Cloud Service Provider (cf. PS-01 Security Concept) with respect to the following aspects: Maintenance (servicing, inspection, repair) of the utilities in accordance with the manufacturer's recommendations. PS-06 ¶ 1(c)] | Operational management | Preventive | |
| Establish, implement, and maintain a system maintenance policy. CC ID 14032 | Operational management | Preventive | |
| Include compliance requirements in the system maintenance policy. CC ID 14217 | Operational management | Preventive | |
| Include management commitment in the system maintenance policy. CC ID 14216 | Operational management | Preventive | |
| Include roles and responsibilities in the system maintenance policy. CC ID 14215 | Operational management | Preventive | |
| Include the scope in the system maintenance policy. CC ID 14214 | Operational management | Preventive | |
| Include the purpose in the system maintenance policy. CC ID 14187 | Operational management | Preventive | |
| Include coordination amongst entities in the system maintenance policy. CC ID 14181 | Operational management | Preventive | |
| Establish, implement, and maintain system maintenance procedures. CC ID 14059 | Operational management | Preventive | |
| Establish, implement, and maintain a technology refresh schedule. CC ID 16940 | Operational management | Preventive | |
| Establish, implement, and maintain an end-of-life management process. CC ID 16540 [The decommissioning of hardware used to operate system components supporting the cloud service production environment under the responsibility of the Cloud Service Provider requires approval based on the applicable policies. AM-04 ¶ 1] | Operational management | Preventive | |
| Establish, implement, and maintain disposal contracts. CC ID 12199 | Operational management | Preventive | |
| Include disposal procedures in disposal contracts. CC ID 13905 | Operational management | Preventive | |
| Establish, implement, and maintain a customer service program. CC ID 00846 | Operational management | Preventive | |
| Include incident escalation procedures in the Incident Management program. CC ID 00856 [Ensure a consistent and comprehensive approach to the capture, assessment, communication and escalation of security incidents. Section 5.13 Objective The Cloud Service Provider defines guidelines for the classification, prioritisation and escalation of security incidents and creates interfaces to the incident management and business continuity management. SIM-01 ¶ 2] | Operational management | Preventive | |
| Define the characteristics of the Incident Management program. CC ID 00855 | Operational management | Preventive | |
| Include the criteria for an incident in the Incident Management program. CC ID 12173 [The Cloud Service Provider has established policies and instructions that govern the logging and monitoring of events on system components within its area of responsibility. These policies and instructions are documented, communicated and provided according to SP-01 with respect to the following aspects: Definition of events that could lead to a violation of the protection goals; OPS-10 ¶ 1 Bullet 1] | Operational management | Preventive | |
| Include a definition of affected transactions in the incident criteria. CC ID 17180 | Operational management | Preventive | |
| Include a definition of affected parties in the incident criteria. CC ID 17179 | Operational management | Preventive | |
| Include incident monitoring procedures in the Incident Management program. CC ID 01207 [Mechanisms are in place to measure and monitor the type and scope of security incidents and to report them to support agencies. The information obtained from the evaluation is used to identify recurrent or significant incidents and to identify the need for further protection. SIM-05 ¶ 1] | Operational management | Preventive | |
| Define and document the criteria to be used in categorizing incidents. CC ID 10033 [The Cloud Service Provider defines guidelines for the classification, prioritisation and escalation of security incidents and creates interfaces to the incident management and business continuity management. SIM-01 ¶ 2] | Operational management | Preventive | |
| Include the investigation methodology in the forensic investigation report. CC ID 17071 | Operational management | Preventive | |
| Include corrective actions in the forensic investigation report. CC ID 17070 | Operational management | Preventive | |
| Include the investigation results in the forensic investigation report. CC ID 17069 | Operational management | Preventive | |
| Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547 | Operational management | Preventive | |
| Include data loss event notifications in the Incident Response program. CC ID 00364 | Operational management | Preventive | |
| Include required information in the written request to delay the notification to affected parties. CC ID 16785 | Operational management | Preventive | |
| Establish, implement, and maintain incident response notifications. CC ID 12975 [{take into account} Business continuity plans and contingency plans take the following aspects into account: Defined communication channels, roles and responsibilities including notification of the customer; BCM-03 ¶ 2 Bullet 4] | Operational management | Corrective | |
| Include the affected parties rights in the incident response notification. CC ID 16811 | Operational management | Preventive | |
| Include the incident classification criteria in incident response notifications. CC ID 17293 | Operational management | Preventive | |
| Include details of the investigation in incident response notifications. CC ID 12296 | Operational management | Preventive | |
| Include the issuer's name in incident response notifications. CC ID 12062 | Operational management | Preventive | |
| Include the incident reference code in incident response notifications. CC ID 17292 | Operational management | Preventive | |
| Include a general description of the data loss event in incident response notifications. CC ID 04734 [{be transparent} {not reveal} An incident is typically significant when it affects multiple cloud customers and the Cloud Service Provider informs the affected parties or the public. The information about the incidents and the protection measures put in place should be as transparent as possible, without revealing vulnerability or potential points of attack. Furthermore, the reporting must not jeopardise the confidentiality of information concerning individual cloud customers and should therefore not contain a detailed description of individual incidents. Section 3.4.4.1 ¶ 4] | Operational management | Preventive | |
| Include the identification of the data source in incident response notifications. CC ID 12305 | Operational management | Preventive | |
| Include activations of the business continuity plan in incident response notifications. CC ID 17295 | Operational management | Preventive | |
| Include costs associated with the incident in incident response notifications. CC ID 17300 | Operational management | Preventive | |
| Include the reporting individual's contact information in incident response notifications. CC ID 12297 | Operational management | Preventive | |
| Include contact information in the substitute incident response notification. CC ID 16776 | Operational management | Preventive | |
| Establish, implement, and maintain a containment strategy. CC ID 13480 | Operational management | Preventive | |
| Include the containment approach in the containment strategy. CC ID 13486 | Operational management | Preventive | |
| Include response times in the containment strategy. CC ID 13485 [The procedures for monitoring compliance with the requirements are supplemented by automatic procedures relating to the following aspects: Response time to malfunctions and security incidents; and SSO-04 ¶ 5 Bullet 3] | Operational management | Preventive | |
| Log incidents in the Incident Management audit log. CC ID 00857 [Ensure a consistent and comprehensive approach to the capture, assessment, communication and escalation of security incidents. Section 5.13 Objective] | Operational management | Preventive | |
| Include corrective actions in the incident management audit log. CC ID 16466 | Operational management | Preventive | |
| Include incident reporting procedures in the Incident Management program. CC ID 11772 [Mechanisms are in place to measure and monitor the type and scope of security incidents and to report them to support agencies. The information obtained from the evaluation is used to identify recurrent or significant incidents and to identify the need for further protection. SIM-05 ¶ 1] | Operational management | Preventive | |
| Establish, implement, and maintain an Incident Response program. CC ID 00579 | Operational management | Preventive | |
| Create an incident response report. CC ID 12700 | Operational management | Preventive | |
| Include corrective action taken to eradicate the incident in the incident response report. CC ID 12708 [As soon as an incident has been resolved from the Cloud Service Provider's perspective, the cloud customer is informed according to the contractual agreements, about the actions taken. OPS-21 ¶ 2 After a security incident has been processed, the solution is documented in accordance with the contractual agreements and the report is sent to the affected customers for final acknowledgement or, if applicable, as confirmation. SIM-03 ¶ 1] | Operational management | Preventive | |
| Establish, implement, and maintain an incident response plan. CC ID 12056 | Operational management | Preventive | |
| Include addressing information sharing in the incident response plan. CC ID 13349 [{be transparent} {not reveal} An incident is typically significant when it affects multiple cloud customers and the Cloud Service Provider informs the affected parties or the public. The information about the incidents and the protection measures put in place should be as transparent as possible, without revealing vulnerability or potential points of attack. Furthermore, the reporting must not jeopardise the confidentiality of information concerning individual cloud customers and should therefore not contain a detailed description of individual incidents. Section 3.4.4.1 ¶ 4] | Operational management | Preventive | |
| Include root cause analysis in the incident response plan. CC ID 16423 [Subject matter experts of the Cloud Service Provider, together with external security providers where appropriate, classify, prioritise and perform root-cause analyses for events that could constitute a security incident. SIM-02 ¶ 1 There are instructions as to how the data of a suspicious system can be collected in a conclusive manner in the event of a security incident. In addition, there are analysis plans for typical security incidents and an evaluation methodology so that the collected information does not lose its evidential value in any subsequent legal assessment. SIM-01 ¶ 5] | Operational management | Preventive | |
| Include incident response team structures in the Incident Response program. CC ID 01237 [In addition, the Cloud Service Provider has set up a "Computer Emergency Response Team" (CERT), which contributes to the coordinated resolution of occurring security incidents. SIM-01 ¶ 3] | Operational management | Preventive | |
| Include identifying remediation actions in the incident response plan. CC ID 13354 | Operational management | Preventive | |
| Include the incident response training program in the Incident Response program. CC ID 06750 [The Cloud Service Provider operates a target group-oriented security awareness and training program, which is completed by all internal and external employees of the Cloud Service Provider on a regular basis. The program is regularly updated based on changes to policies and instructions and the current threat situation and includes the following aspects: Correct behaviour in the event of security incidents. HR-03 ¶ 1 Bullet 4] | Operational management | Preventive | |
| Establish, implement, and maintain an incident response policy. CC ID 14024 | Operational management | Preventive | |
| Establish, implement, and maintain incident response procedures. CC ID 01206 [{acceptable use policy} Policies and instructions for acceptable use and safe handling of assets are documented, communicated and provided in accordance with SP-01 and address the following aspects of the asset lifecycle as applicable to the asset: dealing with incidents and vulnerabilities; and AM-02 ¶ 1 Bullet 11] | Operational management | Detective | |
| Establish, implement, and maintain a digital forensic evidence framework. CC ID 08652 [Interfaces are available to conduct forensic analyses and perform backups of infrastructure components and their network communication. OPS-15 ¶ 2 Interfaces are available to conduct forensic analyses and perform backups of infrastructure components and their network communication. OPS-15 ¶ 2] | Operational management | Preventive | |
| Establish, implement, and maintain a digital forensic evidence collection program. CC ID 08655 [There are instructions as to how the data of a suspicious system can be collected in a conclusive manner in the event of a security incident. In addition, there are analysis plans for typical security incidents and an evaluation methodology so that the collected information does not lose its evidential value in any subsequent legal assessment. SIM-01 ¶ 5] | Operational management | Preventive | |
| Include roles and responsibilities in the digital forensic evidence collection program. CC ID 15724 | Operational management | Preventive | |
| Disseminate and communicate the incident response procedures to all interested personnel and affected parties. CC ID 01215 [Interfaces and dependencies between cloud service delivery activities performed by the Cloud Service Provider and activities performed by third parties are documented and communicated. This includes dealing with the following events: Security incidents; and OIS-03 ¶ 1 Bullet 2] | Operational management | Preventive | |
| Establish, implement, and maintain system performance monitoring procedures. CC ID 11752 [Internal audits are supplemented by procedures to automatically monitor applicable requirements of policies and instructions with regard to the following aspects: Performance and availability of these system components; COM-03 ¶ 3 Bullet 2] | Operational management | Preventive | |
| Establish, implement, and maintain a Service Level Agreement framework. CC ID 00839 | Operational management | Preventive | |
| Include exceptions in the Service Level Agreements, as necessary. CC ID 13912 [The Cloud Service Provider has established procedures and technical safeguards to encrypt cloud customers' data during storage. The private keys used for encryption are known only to the cloud customer in accordance with applicable legal and regulatory obligations and requirements. Exceptions follow a specified procedure. The procedures for the use of private keys, including any exceptions, must be contractually agreed with the cloud customer. CRY-03 ¶ 1] | Operational management | Preventive | |
| Include availability requirements in Service Level Agreements. CC ID 13095 [In contractual agreements (e.g. service description), the Cloud Service Provider provides comprehensible, binding and transparent information on: Availability of the cloud service; BC-02 ¶ 1 Bullet 1 The cloud service is provided from two locations that are redundant to each other. The locations meet the security requirements of the Cloud Service Provider (cf. PS-01 Security Concept) and are located in an adequate distance to each other to achieve operational redundancy. Operational redundancy is designed in a way that ensures that the availability requirements specified in the service level agreement are met. The functionality of the redundancy is checked at least annually by suitable tests and exercises (cf. BCM-04 – Verification, updating and testing of business continuity). PS-02 ¶ 1 {separate} The cloud service is provided from more than two locations that provide each other with redundancy. The locations are sufficiently far apart to achieve georedundancy. If two locations fail at the same time, at least one third location is still available to prevent a total service failure. The georedundancy is designed in a way that ensures that the availability requirements specified in the service level agreement are met. The functionality of the redundancy is checked at least annually by suitable tests and exercises (cf. BCM-04 – Verification, updating and testing of business continuity). PS-02 ¶ 2] | Operational management | Preventive | |
| Establish, implement, and maintain a change control program. CC ID 00886 | Operational management | Preventive | |
| Include version control in the change control program. CC ID 13119 [Version control procedures are set up to track dependencies of individual changes and to restore affected system components back to their previous state as a result of errors or identified vulnerabilities. DEV-08 ¶ 1 Version control procedures provide appropriate safeguards to ensure that the integrity and availability of cloud customer data is not compromised when system components are restored back to their previous state. DEV-08 ¶ 2] | Operational management | Preventive | |
| Establish, implement, and maintain back-out procedures for each proposed change in a change request. CC ID 00373 [Version control procedures are set up to track dependencies of individual changes and to restore affected system components back to their previous state as a result of errors or identified vulnerabilities. DEV-08 ¶ 1] | Operational management | Preventive | |
| Document all change requests in change request forms. CC ID 06794 [Policies and instructions with technical and organisational safeguards for change management of system components of the cloud service within the scope of software deployment are documented, communicated and provided according to SP-01 with regard to the following aspects: Requirements for the documentation of changes in system, operational and user documentation; and DEV-03 ¶ 1 Bullet 5] | Operational management | Preventive | |
| Establish, implement, and maintain emergency change procedures. CC ID 00890 | Operational management | Preventive | |
| Log emergency changes after they have been performed. CC ID 12733 [Policies and instructions with technical and organisational safeguards for change management of system components of the cloud service within the scope of software deployment are documented, communicated and provided according to SP-01 with regard to the following aspects: Requirements for the implementation and documentation of emergency changes that must comply with the same level of security as normal changes. DEV-03 ¶ 1 Bullet 6] | Operational management | Preventive | |
| Provide audit trails for all approved changes. CC ID 13120 [{access rights management plan} System components and tools for source code management and software deployment that are used to make changes to system components of the cloud service in the production environment are subject to a role and rights concept according to IDM-01 and authorisation mechanisms. They must be configured in such a way that all changes are logged and can therefore be traced back to the individuals or system components executing them. DEV-07 ¶ 1 If cloud customers operate virtual machines or containers with the cloud service, the Cloud Service Provider must ensure the following aspects: If the Cloud Service Provider provides images of virtual machines or containers to the Cloud Customer, the Cloud Service Provider appropriately inform the Cloud Customer of the changes made to the previous version. PSS-11 ¶ 1 Bullet 2] | Operational management | Preventive | |
| Establish, implement, and maintain a transition strategy. CC ID 17049 [Exit strategies are aligned with operational continuity plans and include the following aspects: Definition of success criteria for the transition; and SSO-05 ¶ 2 Bullet 3] | Operational management | Preventive | |
| Include monitoring requirements in the transition strategy. CC ID 17290 [Exit strategies are aligned with operational continuity plans and include the following aspects: Definition of indicators for monitoring the performance of services, which should initiate the withdrawal from the service if the results are unacceptable. SSO-05 ¶ 2 Bullet 4] | Operational management | Preventive | |
| Include resources in the transition strategy. CC ID 17289 [Exit strategies are aligned with operational continuity plans and include the following aspects: Definition and allocation of roles, responsibilities and sufficient resources to perform the activities for a transition; SSO-05 ¶ 2 Bullet 2] | Operational management | Preventive | |
| Include time requirements in the transition strategy. CC ID 17288 [Exit strategies are aligned with operational continuity plans and include the following aspects: Analysis of the potential costs, impacts, resources and timing of the transition of a purchased service to an alternative service provider or supplier; SSO-05 ¶ 2 Bullet 1] | Operational management | Preventive | |
| Establish, implement, and maintain a software release policy. CC ID 00893 | Operational management | Preventive | |
| Establish, implement, and maintain a Configuration Management program. CC ID 00867 | System hardening through configuration management | Preventive | |
| Establish, implement, and maintain a configuration management plan. CC ID 01901 | System hardening through configuration management | Preventive | |
| Include configuration management procedures in the configuration management plan. CC ID 14248 [The type and scope of the information provided will be based on the needs of subject matter experts of the cloud customers who set information security requirements, implement them or verify the implementation (e.g. IT, Compliance, Internal Audit). The information in the guidelines and recommendations for the secure use of the cloud service address the following aspects, where applicable to the cloud service: Instructions for secure configuration; PSS-01 ¶ 2 Bullet 1] | System hardening through configuration management | Preventive | |
| Establish, implement, and maintain system hardening procedures. CC ID 12001 | System hardening through configuration management | Preventive | |
| Establish, implement, and maintain an account lockout policy. CC ID 01709 [User accounts of internal and external employees of the Cloud Service Provider as well as for system components involved in automated authorisation processes of the Cloud Service Provider are automatically locked if they have not been used for a period of two months. Approval from authorised personnel or system components are required to unlock these accounts. IDM-03 ¶ 1] | System hardening through configuration management | Preventive | |
| Establish, implement, and maintain a network addressing plan. CC ID 16399 | System hardening through configuration management | Preventive | |
| Establish, implement, and maintain a data retention program. CC ID 00906 [Policies and instructions for data backup and recovery are documented, communicated and provided in accordance with SP-01 regarding the following aspects. The extent and frequency of data backups and the duration of data retention are consistent with the contractual agreements with the cloud customers and the Cloud Service Provider's operational continuity requirements for Recovery Time Objective (RTO) and Recovery Point Objective (RPO); OPS-06 ¶ 1 Bullet 1] | Records management | Detective | |
| Establish, implement, and maintain records disposition procedures. CC ID 00971 [The requirements for the logging and monitoring of events and for the secure handling of metadata are implemented by technically supported procedures with regard to the following restrictions: Deletion when further retention is no longer necessary for the purpose of collection. OPS-12 ¶ 1 Bullet 3] | Records management | Preventive | |
| Include the name of the signing officer in the disposal record. CC ID 15710 | Records management | Preventive | |
| Establish, implement, and maintain records management procedures. CC ID 11619 | Records management | Preventive | |
| Establish, implement, and maintain a system input log. CC ID 13531 | Records management | Preventive | |
| Establish, implement, and maintain security label procedures. CC ID 06747 [Assets are classified and, if possible, labelled. Classification and labelling of an asset reflect the protection needs of the information it processes, stores, or transmits. AM-06 ¶ 1] | Records management | Preventive | |
| Establish, implement, and maintain output review and error handling checks with end users. CC ID 00929 [The type and scope of the information provided will be based on the needs of subject matter experts of the cloud customers who set information security requirements, implement them or verify the implementation (e.g. IT, Compliance, Internal Audit). The information in the guidelines and recommendations for the secure use of the cloud service address the following aspects, where applicable to the cloud service: Error handling and logging mechanisms; PSS-01 ¶ 2 Bullet 3 The cloud service provided is equipped with error handling and logging mechanisms. These enable cloud users to obtain security-related information about the security status of the cloud service as well as the data, services or functions it provides. PSS-04 ¶ 1] | Records management | Detective | |
| Establish, implement, and maintain system design principles and system design guidelines. CC ID 01057 | Systems design, build, and implementation | Preventive | |
| Include a technology refresh schedule in the system development life cycle documentation. CC ID 14759 | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain outsourced development procedures. CC ID 01141 [In the case of outsourced development of the cloud service (or individual system components), specifications regarding the following aspects are contractually agreed between the Cloud Service Provider and the outsourced development contractor: Security in software development (requirements, design, implementation, tests and verifications) in accordance with recognised standards and methods; DEV-02 ¶ 1 Bullet 1] | Systems design, build, and implementation | Preventive | |
| Document the system architecture in the system design specification. CC ID 12287 | Systems design, build, and implementation | Preventive | |
| Establish and maintain Application Programming Interface documentation. CC ID 12203 | Systems design, build, and implementation | Preventive | |
| Include configuration options in the Application Programming Interface documentation. CC ID 12205 | Systems design, build, and implementation | Preventive | |
| Establish and maintain the system design specification in a manner that is clear and easy to read. CC ID 12286 | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain access control procedures for the test environment that match those of the production environment. CC ID 06793 [Access to the non-production environment requires two-factor or multi-factor authentication. Within the non-production environment, users are authenticated using passwords, digitally signed certificates, or procedures that provide at least an equivalent level of security. IDM-09 ¶ 2] | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain payment card architectural designs. CC ID 16132 | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain human interface guidelines. CC ID 08662 | Systems design, build, and implementation | Preventive | |
| Include mechanisms for changing authenticators in human interface guidelines. CC ID 14944 | Systems design, build, and implementation | Preventive | |
| Include functionality for managing user data in human interface guidelines. CC ID 14928 | Systems design, build, and implementation | Preventive | |
| Establish and maintain User Interface documentation. CC ID 12204 [The type and scope of the documentation on the interfaces is geared to the needs of the cloud customers' subject matter experts in order to enable the use of these interfaces. The information is maintained in such a way that it is applicable for the cloud service's version which is intended for productive use. PI-01 ¶ 3 The type and scope of the documentation on the interfaces is geared to the needs of the cloud customers' subject matter experts in order to enable the use of these interfaces. The information is maintained in such a way that it is applicable for the cloud service's version which is intended for productive use. PI-01 ¶ 3] | Systems design, build, and implementation | Preventive | |
| Include data encryption information in the system design specification. CC ID 12209 | Systems design, build, and implementation | Preventive | |
| Include records disposition information in the system design specification. CC ID 12208 | Systems design, build, and implementation | Preventive | |
| Include how data is managed in each module in the system design specification. CC ID 12207 | Systems design, build, and implementation | Preventive | |
| Include identifying restricted data in the system design specification. CC ID 12206 | Systems design, build, and implementation | Preventive | |
| Include in the system documentation methodologies for authenticating the hardware security module. CC ID 12258 | Systems design, build, and implementation | Preventive | |
| Include the environmental requirements in the acceptable use policy for the hardware security module. CC ID 12263 | Systems design, build, and implementation | Preventive | |
| Include device identification in the acceptable use policy for the hardware security module. CC ID 12262 | Systems design, build, and implementation | Preventive | |
| Include device functionality in the acceptable use policy for the hardware security module. CC ID 12261 | Systems design, build, and implementation | Preventive | |
| Include administrative responsibilities in the acceptable use policy for the hardware security module. CC ID 12260 | Systems design, build, and implementation | Preventive | |
| Include the source code in the implementation representation document. CC ID 13089 | Systems design, build, and implementation | Preventive | |
| Include the hardware schematics in the implementation representation document. CC ID 13098 | Systems design, build, and implementation | Preventive | |
| Review and update the security architecture, as necessary. CC ID 14277 | Systems design, build, and implementation | Corrective | |
| Review and update the privacy architecture, as necessary. CC ID 14674 | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain system testing procedures. CC ID 11744 [In the case of outsourced development of the cloud service (or individual system components), specifications regarding the following aspects are contractually agreed between the Cloud Service Provider and the outsourced development contractor: Acceptance testing of the quality of the services provided in accordance with the agreed functional and non-functional requirements; and DEV-02 ¶ 1 Bullet 2] | Systems design, build, and implementation | Preventive | |
| Plan and document the Certification and Accreditation process. CC ID 11767 [The Information Security Management System (ISMS) has a valid certification according to ISO/ IEC 27001 or ISO 27001 based on IT-Grundschutz. OIS-01 ¶ 3 To the extent applicable for the certification or attestation, the following information are provided: issuing organisation; and BC-06 ¶ 2 Bullet 2 To the extent applicable for the certification or attestation, the following information are provided: date of issuance; BC-06 ¶ 2 Bullet 1] | Systems design, build, and implementation | Preventive | |
| Submit the information system's security authorization package to the appropriate stakeholders, as necessary. CC ID 13987 | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain a vulnerability disclosure policy. CC ID 14934 | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain vulnerability disclosure procedures. CC ID 16489 [{vulnerabilities} {assets} The online register is easily accessible to any cloud customer. The information contained therein forms a suitable basis for risk assessment and possible follow-up measures on the part of cloud users. PSS-03 ¶ 3] | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain acquisition approval requirements. CC ID 13704 [{acceptable use policy} Policies and instructions for acceptable use and safe handling of assets are documented, communicated and provided in accordance with SP-01 and address the following aspects of the asset lifecycle as applicable to the asset: Approval procedures for acquisition, commissioning, maintenance, decommissioning, and disposal by authorised personnel or system components; AM-02 ¶ 1 Bullet 1] | Acquisition or sale of facilities, technology, and services | Preventive | |
| Establish and maintain a register of approved third parties, technologies and tools. CC ID 06836 [The Cloud Service Provider has an approval process for the use of hardware to be commissioned, which is used to provide the cloud service in the production environment, in which the risks arising from the commissioning are identified, analysed and mitigated. Approval is granted after verification of the secure configuration of the mechanisms for error handling, logging, encryption, authentication and authorisation according to the intended use and based on the applicable policies. AM-03 ¶ 1 In procurement, products are preferred which have been certified according to the "Common Criteria for Information Technology Security Evaluation" (short: Common Criteria – CC) according Evaluation Assurance Level EAL 4. If non-certified products are to be procured for available certified products, a risk assessment is carried out in accordance with OIS-07. DEV-01 ¶ 3] | Acquisition or sale of facilities, technology, and services | Preventive | |
| Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain opt-out notices. CC ID 13448 | Privacy protection for information and data | Preventive | |
| Include the data subject's right to opt out of personal data disclosure in the opt-out notice. CC ID 13463 [In the system description, the Cloud Service Provider provides comprehensible and transparent information on how investigation enquiries by government agencies for access to or disclosure of cloud customer data are handled. The information includes the following aspects: the ability of the affected cloud customers to object; and BC-05 ¶ 1 Bullet 3] | Privacy protection for information and data | Preventive | |
| Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. CC ID 00393 | Privacy protection for information and data | Preventive | |
| Provide the data subject with a description of the type of information held by the organization and a general account of its use. CC ID 00397 [Access to the data processed, stored or transmitted in the cloud service by internal or external employees of the Cloud Service Provider requires the prior consent of an authorised department of the cloud customer, provided that the cloud customer's data is not encrypted, encryption is disabled for access, or contractual agreements do not explicitly exclude such consent. For the consent, the cloud customer's department is provided with meaningful information about the cause, time, duration, type and scope of the access supporting assessing the risks associated with the access. IDM-07 ¶ 2] | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a personal data accountability program. CC ID 13432 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a personal data use limitation program. CC ID 13428 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a personal data use purpose specification. CC ID 00093 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain data access procedures. CC ID 00414 | Privacy protection for information and data | Preventive | |
| Notify third parties of data access requests that relates to the third party. CC ID 08703 [In the system description, the Cloud Service Provider provides comprehensible and transparent information on how investigation enquiries by government agencies for access to or disclosure of cloud customer data are handled. The information includes the following aspects: Procedures for informing and involving the affected cloud customers upon receipt of such enquiries; BC-05 ¶ 1 Bullet 2] | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain restricted data use limitation procedures. CC ID 00128 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain restricted data retention procedures. CC ID 00167 [Policies and instructions for the secure handling of metadata (usage data) are documented, communicated and provided according to SP-01 with regard to the following aspects: Storage for a fixed period reasonably related to the purposes of the collection; OPS-11 ¶ 1 Bullet 4] | Privacy protection for information and data | Preventive | |
| Document the redisclosing restricted data exceptions. CC ID 00170 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain data disclosure procedures. CC ID 00133 [The type and scope of the information provided will be based on the needs of subject matter experts of the cloud customers who set information security requirements, implement them or verify the implementation (e.g. IT, Compliance, Internal Audit). The information in the guidelines and recommendations for the secure use of the cloud service address the following aspects, where applicable to the cloud service: PSS-01 ¶ 2] | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain data request denial procedures. CC ID 00434 | Privacy protection for information and data | Preventive | |
| Document that a data search was conducted in case the requested data cannot be found. CC ID 06953 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a data handling program. CC ID 13427 [Policies and instructions for the secure handling of metadata (usage data) are documented, communicated and provided according to SP-01 with regard to the following aspects: OPS-11 ¶ 1] | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain data handling policies. CC ID 00353 [{be appropriate} Ensure appropriate handling of government investigation requests for legal review, information to cloud customers, and limitation of access to or disclosure of data. Section 5.16 Objective] | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain data and information confidentiality policies. CC ID 00361 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain suspicious document procedures. CC ID 04852 | Privacy protection for information and data | Detective | |
| Establish, implement, and maintain a telephone systems usage policy. CC ID 15170 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain call metadata controls. CC ID 04790 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain data handling procedures. CC ID 11756 [The requirements for the logging and monitoring of events and for the secure handling of metadata are implemented by technically supported procedures with regard to the following restrictions: OPS-12 ¶ 1] | Privacy protection for information and data | Preventive | |
| Define personal data that falls under breach notification rules. CC ID 00800 | Privacy protection for information and data | Preventive | |
| Define an out of scope privacy breach. CC ID 04677 | Privacy protection for information and data | Preventive | |
| Include the allegations against the organization in the notice of investigation. CC ID 13031 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain customer data authentication procedures. CC ID 13187 [The Cloud Service Provider has established procedures and technical measures for strong encryption and authentication for the transmission of all data. CRY-02 ¶ 2 The Cloud Service Provider has established procedures and technical measures for strong encryption and authentication for the transmission of data of cloud customers over public networks. CRY-02 ¶ 1] | Privacy protection for information and data | Preventive | |
| Use documents for identification that do not appear altered or forged. CC ID 04860 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain organizational documents. CC ID 16202 | Harmonization Methods and Manual of Style | Preventive | |
| Include version control on organizational documents. CC ID 16268 [{information security policy} The policies and instructions are version controlled and approved by the top management of the Cloud Service Provider or an authorised body. SP-01 ¶ 2] | Harmonization Methods and Manual of Style | Preventive | |
| Establish, implement, and maintain a supply chain management program. CC ID 11742 [Policies and instructions for controlling and monitoring third parties (e.g. service providers or suppliers) whose services contribute to the provision of the cloud service are documented, communicated and provided in accordance with SP-01 with respect to the following aspects: SSO-01 ¶ 1] | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain an exit plan. CC ID 15492 [The Cloud Service Provider has defined and documented exit strategies for the purchase of services where the risk assessment of the service providers and suppliers regarding the scope, complexity and uniqueness of the purchased service resulted in a very high dependency (cf. Supplementary Information). SSO-05 ¶ 1] | Third Party and supply chain oversight | Preventive | |
| Include roles and responsibilities in the exit plan. CC ID 15497 | Third Party and supply chain oversight | Preventive | |
| Include contingency plans in the third party management plan. CC ID 10030 | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain software exchange agreements with all third parties. CC ID 11615 | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain rules of engagement with third parties. CC ID 13994 | Third Party and supply chain oversight | Preventive | |
| Include the purpose in the information flow agreement. CC ID 17016 | Third Party and supply chain oversight | Preventive | |
| Include the type of information being transmitted in the information flow agreement. CC ID 14245 | Third Party and supply chain oversight | Preventive | |
| Include the costs in the information flow agreement. CC ID 17018 | Third Party and supply chain oversight | Preventive | |
| Include the security requirements in the information flow agreement. CC ID 14244 | Third Party and supply chain oversight | Preventive | |
| Include the interface characteristics in the information flow agreement. CC ID 14240 | Third Party and supply chain oversight | Preventive | |
| Include text about participation in the organization's testing programs in third party contracts. CC ID 14402 [{change} The type and scope of the tests correspond to the risk assessment. The tests are carried out by appropriately qualified personnel of the Cloud Service Provider or by automated test procedures that comply with the state-of-the-art. Cloud customers are involved into the tests in accordance with the contractual requirements. DEV-06 ¶ 2] | Third Party and supply chain oversight | Preventive | |
| Include the contract duration in third party contracts. CC ID 16221 | Third Party and supply chain oversight | Preventive | |
| Include cryptographic keys in third party contracts. CC ID 16179 | Third Party and supply chain oversight | Preventive | |
| Include bankruptcy provisions in third party contracts. CC ID 16519 | Third Party and supply chain oversight | Preventive | |
| Include cybersecurity supply chain risk management requirements in third party contracts. CC ID 15646 | Third Party and supply chain oversight | Preventive | |
| Include requirements to cooperate with competent authorities in third party contracts. CC ID 17186 | Third Party and supply chain oversight | Preventive | |
| Include text that organizations must meet organizational compliance requirements in third party contracts. CC ID 06506 [Policies and instructions for controlling and monitoring third parties (e.g. service providers or suppliers) whose services contribute to the provision of the cloud service are documented, communicated and provided in accordance with SP-01 with respect to the following aspects: applicable legal and regulatory requirements; SSO-01 ¶ 1 Bullet 5] | Third Party and supply chain oversight | Preventive | |
| Include compliance with the organization's monitoring policies as a requirement in third party contracts. CC ID 06513 [Monitoring includes a regular review of the following evidence to the extent that such evidence is to be provided by third parties in accordance with the contractual agreements: Records of the third parties on the handling of vulnerabilities, security incidents and malfunctions. SSO-04 ¶ 2 Bullet 4] | Third Party and supply chain oversight | Preventive | |
| Include compliance with the organization's data usage policies in third party contracts. CC ID 16413 | Third Party and supply chain oversight | Preventive | |
| Include a reporting structure in third party contracts. CC ID 06532 | Third Party and supply chain oversight | Preventive | |
| Include financial reporting in third party contracts, as necessary. CC ID 13573 | Third Party and supply chain oversight | Preventive | |
| Include reporting to the organization of third party audit findings in third party contracts. CC ID 06512 [Monitoring includes a regular review of the following evidence to the extent that such evidence is to be provided by third parties in accordance with the contractual agreements: independent third-party reports on the suitability and operating effectiveness of their service-related internal control systems; and SSO-04 ¶ 2 Bullet 3] | Third Party and supply chain oversight | Preventive | |
| Include on-site visits in third party contracts. CC ID 17306 | Third Party and supply chain oversight | Preventive | |
| Include text that subcontractors must meet organizational compliance requirements in third party contracts. CC ID 06522 [Policies and instructions for controlling and monitoring third parties (e.g. service providers or suppliers) whose services contribute to the provision of the cloud service are documented, communicated and provided in accordance with SP-01 with respect to the following aspects: Specifications for applying these requirements also to service providers used by the third parties, insofar as the services provided by these service providers also contribute to the provision of the cloud service. SSO-01 ¶ 1 Bullet 9] | Third Party and supply chain oversight | Preventive | |
| Include change control notification processes in third party contracts. CC ID 06524 [In accordance with the contractual agreements, meaningful information about the occasion, time, duration, type and scope of the change is submitted to authorised bodies of the cloud customer so that they can carry out their own risk assessment before the change is made available in the production environment. Regardless of the contractual agreements, this is done for changes that have the highest risk category based on their risk assessment. DEV-05 ¶ 2] | Third Party and supply chain oversight | Preventive | |
| Include the dispute resolution body's contact information in the terms and conditions in third party contracts. CC ID 13813 | Third Party and supply chain oversight | Preventive | |
| Include a termination provision clause in third party contracts. CC ID 01367 | Third Party and supply chain oversight | Detective | |
| Include termination costs in third party contracts. CC ID 10023 [Exit strategies are aligned with operational continuity plans and include the following aspects: Analysis of the potential costs, impacts, resources and timing of the transition of a purchased service to an alternative service provider or supplier; SSO-05 ¶ 2 Bullet 1] | Third Party and supply chain oversight | Preventive | |
| Include incident management procedures and incident reporting procedures in third party contracts. CC ID 01214 [In contractual agreements (e.g. service description), the Cloud Service Provider provides comprehensible, binding and transparent information on: Categorisation and Prioritisation of incidents; BC-02 ¶ 1 Bullet 2 In contractual agreements (e.g. service description), the Cloud Service Provider provides comprehensible, binding and transparent information on: Response times for disruptions of regular operation according to the categorisation (time elapsed between the reporting and the resolution of the disruption by the Cloud Service Provider); BC-02 ¶ 1 Bullet 3 Policies and instructions for controlling and monitoring third parties (e.g. service providers or suppliers) whose services contribute to the provision of the cloud service are documented, communicated and provided in accordance with SP-01 with respect to the following aspects: Requirements for dealing with vulnerabilities, security incidents and malfunctions; SSO-01 ¶ 1 Bullet 6 Policies and instructions for controlling and monitoring third parties (e.g. service providers or suppliers) whose services contribute to the provision of the cloud service are documented, communicated and provided in accordance with SP-01 with respect to the following aspects: Requirements for dealing with vulnerabilities, security incidents and malfunctions; SSO-01 ¶ 1 Bullet 6] | Third Party and supply chain oversight | Preventive | |
| Include a usage limitation of restricted data clause in third party contracts. CC ID 13026 | Third Party and supply chain oversight | Preventive | |
| Include end-of-life information in third party contracts. CC ID 15265 | Third Party and supply chain oversight | Preventive | |
| Document the organization's supply chain in the supply chain management program. CC ID 09958 | Third Party and supply chain oversight | Preventive | |
| Document supply chain dependencies in the supply chain management program. CC ID 08900 [Interfaces and dependencies between cloud service delivery activities performed by the Cloud Service Provider and activities performed by third parties are documented and communicated. This includes dealing with the following events: OIS-03 ¶ 1 Policies and instructions to determine the impact of any malfunction to the cloud service or enterprise are documented, communicated and made available in accordance with SP-01. The following aspects are considered as minimum: Identify dependencies, including processes (including resources required), applications, business partners and third parties; BCM-02 ¶ 1 Bullet 3] | Third Party and supply chain oversight | Detective | |
| Establish and maintain a Third Party Service Provider list. CC ID 12480 [{directory} {service provider} The information in the list is checked at least annually for completeness, accuracy and validity. SSO-03 ¶ 2 The Cloud Service Provider maintains a directory for controlling and monitoring the service providers and suppliers who contribute services to the delivery of the cloud service. The following information is maintained in the directory: SSO-03 ¶ 1] | Third Party and supply chain oversight | Preventive | |
| Include required information in the Third Party Service Provider list. CC ID 14429 | Third Party and supply chain oversight | Preventive | |
| Include disclosure requirements in the Third Party Service Provider list. CC ID 17189 | Third Party and supply chain oversight | Preventive | |
| Include storage locations in the Third Party Service Provider list. CC ID 17184 [The Cloud Service Provider maintains a directory for controlling and monitoring the service providers and suppliers who contribute services to the delivery of the cloud service. The following information is maintained in the directory: Locations of data processing and storage; SSO-03 ¶ 1 Bullet 3] | Third Party and supply chain oversight | Preventive | |
| Include the processing location in the Third Party Service Provider list. CC ID 17183 [The Cloud Service Provider maintains a directory for controlling and monitoring the service providers and suppliers who contribute services to the delivery of the cloud service. The following information is maintained in the directory: Locations of data processing and storage; SSO-03 ¶ 1 Bullet 3] | Third Party and supply chain oversight | Preventive | |
| Include the transferability of services in the Third Party Service Provider list. CC ID 17185 | Third Party and supply chain oversight | Preventive | |
| Include subcontractors in the Third Party Service Provider list. CC ID 14425 [In the system description and the contractual agreements (e.g. service description), the Cloud Service Provider clearly provides comprehensible and transparent information on: System component locations, including its subcontractors, where the cloud customer's data is processed, stored and backed up. BC-01 ¶ 1 Bullet 2] | Third Party and supply chain oversight | Preventive | |
| Include alternate service providers in the Third Party Service Provider list. CC ID 14420 | Third Party and supply chain oversight | Preventive | |
| Include contact information of the Service Provider in the Third Party Service Provider list. CC ID 14430 [The Cloud Service Provider maintains a directory for controlling and monitoring the service providers and suppliers who contribute services to the delivery of the cloud service. The following information is maintained in the directory: Address; SSO-03 ¶ 1 Bullet 2 The Cloud Service Provider maintains a directory for controlling and monitoring the service providers and suppliers who contribute services to the delivery of the cloud service. The following information is maintained in the directory: Responsible contact person at the service provider/supplier; SSO-03 ¶ 1 Bullet 4 The Cloud Service Provider maintains a directory for controlling and monitoring the service providers and suppliers who contribute services to the delivery of the cloud service. The following information is maintained in the directory: Responsible contact person at the cloud service provider; SSO-03 ¶ 1 Bullet 5] | Third Party and supply chain oversight | Preventive | |
| Include all contract dates in the Third Party Service Provider list. CC ID 14421 [The Cloud Service Provider maintains a directory for controlling and monitoring the service providers and suppliers who contribute services to the delivery of the cloud service. The following information is maintained in the directory: Beginning of service usage; and SSO-03 ¶ 1 Bullet 8] | Third Party and supply chain oversight | Preventive | |
| Include the services provided by each supplier in the Third Party Service Provider list. CC ID 12481 [The Cloud Service Provider maintains a directory for controlling and monitoring the service providers and suppliers who contribute services to the delivery of the cloud service. The following information is maintained in the directory: Description of the service; SSO-03 ¶ 1 Bullet 6] | Third Party and supply chain oversight | Preventive | |
| Include criticality of services in the Third Party Service Provider list. CC ID 14428 | Third Party and supply chain oversight | Preventive | |
| Include a description of data used in the Third Party Service Provider list. CC ID 14427 | Third Party and supply chain oversight | Preventive | |
| Include the location of services provided in the Third Party Service Provider list. CC ID 14423 | Third Party and supply chain oversight | Preventive | |
| Establish and maintain supply chain manufacturing and integration requirements documents for all items being produced for the organization. CC ID 11558 | Third Party and supply chain oversight | Preventive | |
| Document all chargeable items in Service Level Agreements. CC ID 00844 | Third Party and supply chain oversight | Detective | |
| Categorize all suppliers in the supply chain management program. CC ID 00792 [Policies and instructions for controlling and monitoring third parties (e.g. service providers or suppliers) whose services contribute to the provision of the cloud service are documented, communicated and provided in accordance with SP-01 with respect to the following aspects: Requirements for the classification of third parties based on the risk assessment by the Cloud Service Provider and the determination of whether the third party is a subcontractor (cf. Supplementary Information); SSO-01 ¶ 1 Bullet 2 The Cloud Service Provider maintains a directory for controlling and monitoring the service providers and suppliers who contribute services to the delivery of the cloud service. The following information is maintained in the directory: Classification based on the risk assessment; SSO-03 ¶ 1 Bullet 7] | Third Party and supply chain oversight | Preventive | |
| Include risk management procedures in the supply chain management policy. CC ID 08811 [Policies and instructions for controlling and monitoring third parties (e.g. service providers or suppliers) whose services contribute to the provision of the cloud service are documented, communicated and provided in accordance with SP-01 with respect to the following aspects: Requirements for the assessment of risks resulting from the procurement of third-party services; SSO-01 ¶ 1 Bullet 1] | Third Party and supply chain oversight | Preventive | |
| Include a determination on the impact of services provided by third-party service providers in the supply chain risk assessment report. CC ID 17187 [The risk assessment includes the identification, analysis, evaluation, handling and documentation of risks with regard to the following aspects: The Cloud Service Provider's dependence on the service provider or supplier for the scope, complexity and uniqueness of the service purchased, including the consideration of possible alternatives. SSO-02 ¶ 2 Bullet 3 The risk assessment includes the identification, analysis, evaluation, handling and documentation of risks with regard to the following aspects: The Cloud Service Provider's dependence on the service provider or supplier for the scope, complexity and uniqueness of the service purchased, including the consideration of possible alternatives. SSO-02 ¶ 2 Bullet 3] | Third Party and supply chain oversight | Preventive | |
| Include the third party selection process in the supply chain management policy. CC ID 13132 | Third Party and supply chain oversight | Preventive | |
| Include refraining from depending on any individual third party in the supply chain management policy. CC ID 13133 | Third Party and supply chain oversight | Preventive | |
| Include roles and responsibilities in the supply chain management policy. CC ID 15499 | Third Party and supply chain oversight | Preventive | |
| Request attestation of compliance from third parties. CC ID 12067 [The Cloud Service Provider maintains a directory for controlling and monitoring the service providers and suppliers who contribute services to the delivery of the cloud service. The following information is maintained in the directory: Proof of compliance with contractually agreed requirements. SSO-03 ¶ 1 Bullet 9 Monitoring includes a regular review of the following evidence to the extent that such evidence is to be provided by third parties in accordance with the contractual agreements: SSO-04 ¶ 2] | Third Party and supply chain oversight | Detective | |
| Establish, implement, and maintain third party reporting requirements. CC ID 13289 [Subservice organisations of the Cloud Service Provider are contractually obliged to provide regular reports by independent auditors on the suitability of the design and operating effectiveness of their service-related internal control system. SSO-01 ¶ 2] | Third Party and supply chain oversight | Preventive | |
| Define timeliness factors for third party reporting requirements. CC ID 13304 | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain outsourcing contracts. CC ID 13124 [If necessary, the Cloud Service Provider will outsource parts of its business processes for the provision of the cloud service to other service providers (use of subservice organisations). The Cloud Service Provider describes this in its description and the auditor takes this into consideration as specified in the audit standards ISAE 3402. The standard distinguishes for an attestation engagement between the "inclusive method" and the "carve-out method": Section 3.4.5 ¶ 1] | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain contracts with asset disposition vendors, as necessary. CC ID 14826 | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain contracts with Information Technology asset disposition vendors. CC ID 13895 | Third Party and supply chain oversight | Preventive | |
| Specify asset ownership in outsourcing contracts. CC ID 13141 | Third Party and supply chain oversight | Preventive | |
| Include performance standards in outsourcing contracts. CC ID 13140 | Third Party and supply chain oversight | Preventive | |
| Include quality standards in outsourcing contracts. CC ID 17191 | Third Party and supply chain oversight | Preventive | |
| Include the organization approving subcontractors in the outsourcing contract. CC ID 13131 | Third Party and supply chain oversight | Preventive | |
| Include a provision that third parties are responsible for their subcontractors in the outsourcing contract. CC ID 13130 | Third Party and supply chain oversight | Preventive | |
Human Resources Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Employ third parties to carry out testing programs, as necessary. CC ID 13178 | Monitoring and measurement | Preventive | |
| Define the qualification requirements for auditors. CC ID 17259 | Audits and risk management | Preventive | |
| Include roles and responsibilities in the interview procedures. CC ID 16297 | Audits and risk management | Preventive | |
| Identify the audit team members in the audit report. CC ID 15259 [{independent audit report} Compliance with the qualification requirements shall be confirmed in the section "Independence and quality control of the auditor/auditing firm" of the independent auditor's report. Section 3.4.9 ¶ 6] | Audits and risk management | Detective | |
| Define the roles and responsibilities for distributing the audit report. CC ID 16845 | Audits and risk management | Preventive | |
| Evaluate the competency of auditors. CC ID 15253 | Audits and risk management | Detective | |
| Employ third parties when implementing a risk assessment, as necessary. CC ID 16306 | Audits and risk management | Detective | |
| Engage appropriate parties to assist with risk assessments, as necessary. CC ID 12153 | Audits and risk management | Preventive | |
| Define access needs for each role assigned to an information system. CC ID 12455 [{access rights management plan} The Cloud Service Provider provides cloud users with a roles and rights concept for managing access rights. It describes rights profiles for the functions provided by the cloud service. PSS-08 ¶ 1] | Technical security | Preventive | |
| Disallow opting out of wearing or displaying identification cards or badges. CC ID 13030 | Physical and environmental protection | Preventive | |
| Direct each employee to be responsible for their identification card or badge. CC ID 12332 | Physical and environmental protection | Preventive | |
| Assign employees the responsibility for controlling their identification badges. CC ID 12333 | Physical and environmental protection | Preventive | |
| Lead or manage business continuity and system continuity, as necessary. CC ID 12240 | Operational and Systems Continuity | Preventive | |
| Allocate personnel to implement the continuity plan, as necessary. CC ID 12992 | Operational and Systems Continuity | Preventive | |
| Include the roles and responsibilities of responders in the recovery plan. CC ID 13296 | Operational and Systems Continuity | Preventive | |
| Assign ownership of risks to the Board of Directors or senior management. CC ID 13662 [Policies and instructions for risk management procedures are documented, communicated and provided in accordance with SP-01 for the following aspects: Identification of risks associated with the loss of confidentiality, integrity, availability and authenticity of information within the scope of the ISMS and assigning risk owners; OIS-06 ¶ 1 Bullet 1] | Human Resources management | Preventive | |
| Define and assign workforce roles and responsibilities. CC ID 13267 [The Cloud Service Provider informs employees and external business partners of their obligations. If necessary, they agree to or are contractually obliged to report all security events that become known to them and are directly related to the cloud service provided by the Cloud Service Provider to a previously designated central office of the Cloud Service Provider promptly. SIM-04 ¶ 1] | Human Resources management | Preventive | |
| Establish, implement, and maintain cybersecurity roles and responsibilities. CC ID 13201 | Human Resources management | Preventive | |
| Document the use of external experts. CC ID 16263 | Human Resources management | Preventive | |
| Define and assign roles and responsibilities for the biometric system. CC ID 17004 | Human Resources management | Preventive | |
| Define and assign roles and responsibilities for those involved in risk management. CC ID 13660 | Human Resources management | Preventive | |
| Include the management structure in the duties and responsibilities for risk management. CC ID 13665 | Human Resources management | Preventive | |
| Assign the roles and responsibilities for the change control program. CC ID 13118 | Human Resources management | Preventive | |
| Assign the role of security leader to keep up to date on the latest threats. CC ID 12112 | Human Resources management | Preventive | |
| Define and assign the data processor's roles and responsibilities. CC ID 12607 | Human Resources management | Preventive | |
| Define and assign the roles and responsibilities of security guards. CC ID 12543 | Human Resources management | Preventive | |
| Define and assign the roles for Legal Support Workers. CC ID 13711 | Human Resources management | Preventive | |
| Establish, implement, and maintain a succession plan for organizational leaders and support personnel. CC ID 11822 [{security requirements} The policies and instructions describe at least the following aspects: Roles and responsibilities, including staff qualification requirements and the establishment of substitution rules; SP-01 ¶ 3 Bullet 3] | Human Resources management | Preventive | |
| Perform a background check during personnel screening. CC ID 11758 [{competency} {integrity} To the extent permitted by law, the review will cover the following areas: Evaluation of the risk to be blackmailed. HR-01 ¶ 2 Bullet 6] | Human Resources management | Detective | |
| Perform a personal references check during personnel screening. CC ID 06645 [{competency} {integrity} To the extent permitted by law, the review will cover the following areas: Certificate of good conduct or national equivalent; and HR-01 ¶ 2 Bullet 5] | Human Resources management | Preventive | |
| Perform a curriculum vitae check during personnel screening. CC ID 06660 [{competency} {integrity} To the extent permitted by law, the review will cover the following areas: Verification of the CV; HR-01 ¶ 2 Bullet 2] | Human Resources management | Preventive | |
| Assign an owner of the personnel status change and termination procedures. CC ID 11805 | Human Resources management | Preventive | |
| Notify the security manager, in writing, prior to an employee's job change. CC ID 12283 | Human Resources management | Preventive | |
| Enforce the information security responsibilities and duties that remain valid after termination or change of employment. CC ID 11992 [{duration} Internal and external employees have been informed about which responsibilities, arising from employment terms and conditions relating to information security, will remain in place when their employment is terminated or changed and for how long. HR-05 ¶ 1] | Human Resources management | Preventive | |
| Conduct exit interviews upon termination of employment. CC ID 14290 | Human Resources management | Preventive | |
| Verify completion of each activity in the employee termination checklist when an individual is terminated. CC ID 12449 | Human Resources management | Detective | |
| Hire third parties to conduct training, as necessary. CC ID 13167 | Human Resources management | Preventive | |
| Establish and maintain a steering committee to guide the security awareness program. CC ID 12149 | Human Resources management | Preventive | |
| Encourage interested personnel to obtain security certification. CC ID 11804 | Human Resources management | Preventive | |
| Include the information security responsibilities of the organization and the individual in the Terms and Conditions of employment. CC ID 12029 [The Cloud Service Provider's internal and external employees are required by the employment terms and conditions to comply with applicable policies and instructions relating to information security. HR-02 ¶ 1] | Human Resources management | Preventive | |
| Control granting access to appropriate parties performing maintenance on organizational assets. CC ID 11873 [{acceptable use policy} Policies and instructions for acceptable use and safe handling of assets are documented, communicated and provided in accordance with SP-01 and address the following aspects of the asset lifecycle as applicable to the asset: Approval procedures for acquisition, commissioning, maintenance, decommissioning, and disposal by authorised personnel or system components; AM-02 ¶ 1 Bullet 1] | Operational management | Preventive | |
| Require third parties to employ a Chief Information Security Officer. CC ID 12057 | Third Party and supply chain oversight | Preventive | |
IT Impact Zone | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Leadership and high level objectives CC ID 00597 | Leadership and high level objectives | IT Impact Zone | |
| Monitoring and measurement CC ID 00636 | Monitoring and measurement | IT Impact Zone | |
| Audits and risk management CC ID 00677 | Audits and risk management | IT Impact Zone | |
| Technical security CC ID 00508 | Technical security | IT Impact Zone | |
| Physical and environmental protection CC ID 00709 | Physical and environmental protection | IT Impact Zone | |
| Operational and Systems Continuity CC ID 00731 | Operational and Systems Continuity | IT Impact Zone | |
| Human Resources management CC ID 00763 | Human Resources management | IT Impact Zone | |
| Operational management CC ID 00805 | Operational management | IT Impact Zone | |
| System hardening through configuration management CC ID 00860 | System hardening through configuration management | IT Impact Zone | |
| Records management CC ID 00902 | Records management | IT Impact Zone | |
| Systems design, build, and implementation CC ID 00989 | Systems design, build, and implementation | IT Impact Zone | |
| Acquisition or sale of facilities, technology, and services CC ID 01123 | Acquisition or sale of facilities, technology, and services | IT Impact Zone | |
| Privacy protection for information and data CC ID 00008 | Privacy protection for information and data | IT Impact Zone | |
| Harmonization Methods and Manual of Style CC ID 06095 | Harmonization Methods and Manual of Style | IT Impact Zone | |
| Third Party and supply chain oversight CC ID 08807 | Third Party and supply chain oversight | IT Impact Zone | |
Investigate | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Monitor and evaluate the effectiveness of detection tools. CC ID 13505 | Monitoring and measurement | Detective | |
| Determine if high rates of retail payment activities are from Originating Depository Financial Institutions. CC ID 13546 | Monitoring and measurement | Detective | |
| Review retail payment service reports, as necessary. CC ID 13545 | Monitoring and measurement | Detective | |
| Rank discovered vulnerabilities. CC ID 11940 [Guidelines and instructions with technical and organisational measures are documented, communicated and provided in accordance with SP-01 to ensure the timely identification and addressing of vulnerabilities in the system components used to provide the cloud service. These guidelines and instructions contain specifications regarding the following aspects: Assessment of the severity of identified vulnerabilities; OPS-18 ¶ 1 Bullet 2] | Monitoring and measurement | Detective | |
| Examine the availability of the audit criteria in the audit program. CC ID 16520 | Audits and risk management | Preventive | |
| Audit cybersecurity risk management within the policies, standards, and procedures of the organization. CC ID 13011 | Audits and risk management | Detective | |
| Audit the potential costs of compromise to information systems. CC ID 13012 | Audits and risk management | Detective | |
| Permit assessment teams to conduct audits, as necessary. CC ID 16430 | Audits and risk management | Detective | |
| Determine the effect of deficiencies on the audit report, as necessary. CC ID 14886 | Audits and risk management | Detective | |
| Evaluate the effectiveness of threat and vulnerability management procedures. CC ID 13491 [Identified vulnerabilities and deviations are subject to risk assessment in accordance with the risk management procedure (cf. OIS-06) and follow-up measures are defined and tracked (cf. OPS-18). COM-03 ¶ 2] | Audits and risk management | Detective | |
| Identify changes to in scope systems that could threaten communication between business units. CC ID 13173 | Audits and risk management | Detective | |
| Verify proof of identity records. CC ID 13761 [{competency} {integrity} To the extent permitted by law, the review will cover the following areas: Verification of the person through identity card; HR-01 ¶ 2 Bullet 1] | Technical security | Detective | |
| Detect anomalies in physical barriers. CC ID 13533 | Physical and environmental protection | Detective | |
| Report anomalies in the visitor log to appropriate personnel. CC ID 14755 | Physical and environmental protection | Detective | |
| Evaluate the effectiveness of auditors reviewing and testing the business continuity program. CC ID 13212 | Operational and Systems Continuity | Detective | |
| Evaluate the effectiveness of auditors reviewing and testing business continuity capabilities. CC ID 13218 | Operational and Systems Continuity | Detective | |
| Determine the cause for the activation of the recovery plan. CC ID 13291 | Operational and Systems Continuity | Detective | |
| Perform social network analysis, as necessary. CC ID 14864 | Operational management | Detective | |
| Analyze the incident response process following an incident response. CC ID 13179 [Internal audits are supplemented by procedures to automatically monitor applicable requirements of policies and instructions with regard to the following aspects: Response time to malfunctions and security incidents; COM-03 ¶ 3 Bullet 3] | Operational management | Detective | |
| Prepare digital forensic equipment. CC ID 08688 | Operational management | Detective | |
| Follow all applicable laws and principles when collecting digital forensic evidence. CC ID 08672 [There are instructions as to how the data of a suspicious system can be collected in a conclusive manner in the event of a security incident. In addition, there are analysis plans for typical security incidents and an evaluation methodology so that the collected information does not lose its evidential value in any subsequent legal assessment. SIM-01 ¶ 5] | Operational management | Detective | |
| Analyze mitigating controls for vulnerabilities in the network when certifying the network. CC ID 13126 | Operational management | Detective | |
| Collect data about the network environment when certifying the network. CC ID 13125 | Operational management | Detective | |
| Perform an identity check prior to approving an account change request. CC ID 13670 | Privacy protection for information and data | Detective | |
Log Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain monitoring and logging operations. CC ID 00637 [The Cloud Service Provider monitors the system components for logging and monitoring in its area of responsibility. Failures are automatically and promptly reported to the Cloud Service Provider's responsible departments so that these can assess the failures and take required action. OPS-17 ¶ 1 The requirements for the logging and monitoring of events and for the secure handling of metadata are implemented by technically supported procedures with regard to the following restrictions: OPS-12 ¶ 1] | Monitoring and measurement | Detective | |
| Enable monitoring and logging operations on all assets that meet the organizational criteria to maintain event logs. CC ID 06312 [Ensure proper and regular operation, including appropriate measures for planning and monitoring capacity, protection against malware, logging and monitoring events, and dealing with vulnerabilities, malfunctions and failures. Section 5.6 Objective Depending on the capabilities of the respective service model, the cloud customer can control and monitor the allocation of the system resources assigned to the customer for administration/use in order to avoid overcrowding of resources and to achieve sufficient performance. OPS-03 ¶ 1 {security-related information} The information is detailed enough to allow cloud users to check the following aspects, insofar as they are applicable to the cloud service: Malfunctions during processing of automatic or manual actions; and PSS-04 ¶ 2 Bullet 2 If the cloud customer is responsible for the activation or type and scope of logging, the Cloud Service Provider must provide appropriate logging capabilities. PSS-04 ¶ 4] | Monitoring and measurement | Preventive | |
| Make logs available for review by the owning entity. CC ID 12046 [The relevant logs or summarised results are available to the cloud customer in a self-service portal for monitoring the data backup. OPS-07 ¶ 2 On request of the cloud customer, the Cloud Service Provider provides the logs relating to the cloud customer in an appropriate form and in a timely manner so that the cloud customer can investigate any incidents relating to them. OPS-15 ¶ 3 Cloud users can retrieve security-related information via documented interfaces which are suitable for further processing this information as part of their Security Information and Event Management (SIEM). PSS-04 ¶ 5] | Monitoring and measurement | Preventive | |
| Operationalize key monitoring and logging concepts to ensure the audit trails capture sufficient information. CC ID 00638 [{take into account} Logging and monitoring applications take the asset protection needs into account in order to inform the responsible stakeholder of events that could lead to a violation of the protection goals, so that the necessary measures are taken with an appropriate priority. Actions for events on assets with a higher level of protection take precedence over events on assets with a lower need for protection. AM-06 ¶ 3 Logging and monitoring applications take into account the information collected on the assets in order to identify the impact on cloud services and functions in case of events that could lead to a breach of protection objectives, and to support information provided to affected cloud customers in accordance with contractual agreements. AM-01 ¶ 4 Logging and monitoring applications take into account the information collected on the assets in order to identify the impact on cloud services and functions in case of events that could lead to a breach of protection objectives, and to support information provided to affected cloud customers in accordance with contractual agreements. AM-01 ¶ 4 Policies and instructions for planning and conducting audits are documented, communicated and made available in accordance with SP-01 and address the following aspects: Logging and monitoring of activities. COM-02 ¶ 1 Bullet 3] | Monitoring and measurement | Detective | |
| Establish, implement, and maintain event logging procedures. CC ID 01335 [Ensure proper and regular operation, including appropriate measures for planning and monitoring capacity, protection against malware, logging and monitoring events, and dealing with vulnerabilities, malfunctions and failures. Section 5.6 Objective The Cloud Service Provider has established policies and instructions that govern the logging and monitoring of events on system components within its area of responsibility. These policies and instructions are documented, communicated and provided according to SP-01 with respect to the following aspects: Specifications for activating, stopping and pausing the various logs; OPS-10 ¶ 1 Bullet 2] | Monitoring and measurement | Detective | |
| Review and update event logs and audit logs, as necessary. CC ID 00596 [The logging data is automatically monitored for events that may violate the protection goals in accordance with the logging and monitoring requirements. This also includes the detection of relationships between events (event correlation). OPS-13 ¶ 1 Based on the results of a risk analysis carried out according to OIS-06, the Cloud Service Provider has implemented technical safeguards which are suitable to promptly detect and respond to network-based attacks on the basis of irregular incoming or outgoing traffic patterns and/ or Distributed Denial of Service (DDoS) attacks. Data from corresponding technical protection measures implemented is fed into a comprehensive SIEM (Security Information and Event Management) system, so that (counter) measures regarding correlating events can be initiated. The safeguards are documented, communicated and provided in accordance with SP-01. COS-01 ¶ 1] | Monitoring and measurement | Detective | |
| Correlate log entries to security controls to verify the security control's effectiveness. CC ID 13207 | Monitoring and measurement | Detective | |
| Enable logging for all systems that meet a traceability criteria. CC ID 00640 [The Cloud Service Provider grants its cloud customers contractually guaranteed information and audit rights. COM-02 ¶ 2 The type and scope of the information provided will be based on the needs of subject matter experts of the cloud customers who set information security requirements, implement them or verify the implementation (e.g. IT, Compliance, Internal Audit). The information in the guidelines and recommendations for the secure use of the cloud service address the following aspects, where applicable to the cloud service: Error handling and logging mechanisms; PSS-01 ¶ 2 Bullet 3 The cloud service provided is equipped with error handling and logging mechanisms. These enable cloud users to obtain security-related information about the security status of the cloud service as well as the data, services or functions it provides. PSS-04 ¶ 1] | Monitoring and measurement | Detective | |
| Log account usage times. CC ID 07099 | Monitoring and measurement | Detective | |
| Restrict access to logs to authorized individuals. CC ID 01342 [The requirements for the logging and monitoring of events and for the secure handling of metadata are implemented by technically supported procedures with regard to the following restrictions: Access only for authorised users and systems; OPS-12 ¶ 1 Bullet 1] | Monitoring and measurement | Preventive | |
| Refrain from recording unnecessary restricted data in logs. CC ID 06318 [Personal data is automatically removed from the log data before the Cloud Service Provider processes it as far as technically possible. The removal is done in a way that allows the Cloud Service Provider to continue to use the log data for the purpose for which it was collected. OPS-11 ¶ 2 {be specific} {logical separation} The Cloud Service Provider provides a customer-specific logging (in terms of scope and duration of retention period) upon request of the Cloud Customer. Depending on the protection requirements of the Cloud Service Provider and the technical feasibility, a logical or physical separation of log and customer data is carried out. OPS-14 ¶ 3] | Monitoring and measurement | Preventive | |
| Protect logs from unauthorized activity. CC ID 01345 [The logged information is protected from unauthorised access and modification and can be deleted by the Cloud Customer. PSS-04 ¶ 3] | Monitoring and measurement | Preventive | |
| Maintain a log of the overrides of the biometric system. CC ID 17000 | Technical security | Preventive | |
| Include the user's location in the system record. CC ID 16996 | Technical security | Preventive | |
| Log issuers who send personal data in cleartext in the transfer audit log. CC ID 12312 | Technical security | Preventive | |
| Log the individual's address in the facility access list. CC ID 16921 | Physical and environmental protection | Preventive | |
| Log the contact information for the person authorizing access in the facility access list. CC ID 16920 | Physical and environmental protection | Preventive | |
| Log the organization's name in the facility access list. CC ID 16919 | Physical and environmental protection | Preventive | |
| Log the individual's name in the facility access list. CC ID 16918 | Physical and environmental protection | Preventive | |
| Log the purpose in the facility access list. CC ID 16982 | Physical and environmental protection | Preventive | |
| Log the level of access in the facility access list. CC ID 16975 | Physical and environmental protection | Preventive | |
| Establish and maintain a visitor log. CC ID 00715 [The requirements for the access control system are documented, communicated and provided in a policy or concept in accordance with SP-01 and include the following aspects: Visitors and external personnel are tracked individually by the access control during their work in the premises and buildings, identified as such (e.g. by visible wearing of a visitor pass) and supervised during their stay; and PS-04 ¶ 3 Bullet 5] | Physical and environmental protection | Preventive | |
| Record the purpose of the visit in the visitor log. CC ID 16917 | Physical and environmental protection | Preventive | |
| Record the date and time of departure in the visitor log. CC ID 16897 | Physical and environmental protection | Preventive | |
| Record the type of identification used in the visitor log. CC ID 16916 | Physical and environmental protection | Preventive | |
| Log when the cabinet is accessed. CC ID 11674 | Physical and environmental protection | Detective | |
| Include the requestor's name in the physical access log. CC ID 16922 | Physical and environmental protection | Preventive | |
| Log the transiting, internal distribution, and external distribution of restricted storage media. CC ID 12321 | Physical and environmental protection | Preventive | |
| Maintain records of all system components entering and exiting the facility. CC ID 14304 | Physical and environmental protection | Preventive | |
| Log the performance of all remote maintenance. CC ID 13202 | Operational management | Preventive | |
| Include who the incident was reported to in the incident management audit log. CC ID 16487 | Operational management | Preventive | |
| Include the information that was exchanged in the incident management audit log. CC ID 16995 | Operational management | Preventive | |
| Include time information in the chain of custody. CC ID 17068 | Operational management | Preventive | |
| Include actions performed on evidence in the chain of custody. CC ID 17067 | Operational management | Preventive | |
| Include individuals who had custody of evidence in the chain of custody. CC ID 17066 | Operational management | Preventive | |
| Configure the log to capture creates, reads, updates, or deletes of records containing personal data. CC ID 11890 [The cloud customer is informed by the Cloud Service Provider whenever internal or external employees of the Cloud Service Provider read or write to the cloud customer's data processed, stored or transmitted in the cloud service or have accessed it without the prior consent of the cloud customer. The Information is provided whenever data of the cloud customer is/was not encrypted, the encryption is/was disabled for access or the contractual agreements do not explicitly exclude such information. The information contains the cause, time, duration, type and scope of the access. The information is sufficiently detailed to enable subject matter experts of the cloud customer to assess the risks of the access. The information is provided in accordance with the contractual agreements, or within 72 hours after the access. IDM-07 ¶ 1] | System hardening through configuration management | Detective | |
| Configure the log to capture all malicious code that has been discovered, quarantined, and/or eradicated. CC ID 00577 [The Cloud Service Provider creates regular reports on the checks performed, which are reviewed and analysed by authorised bodies or committees. Policies and instructions describe the technical measures taken to securely configure and monitor the management console (both the customer's self-service and the service provider's cloud administration) to protect it from malware. Updates are applied at the highest frequency that the vendor(s) contractually offer(s). OPS-04 ¶ 2] | System hardening through configuration management | Detective | |
| Configure the log to capture actions taken by individuals with root privileges or administrative privileges and add logging option to the root file system. CC ID 00645 [Activities of users with privileged access rights are logged in order to detect any misuse of privileged access in suspicious cases. The logged information is automatically monitored for defined events that may indicate misuse. When such an event is identified, the responsible personnel are automatically informed so that they can promptly assess whether misuse has occurred and take corresponding action. In the event of proven misuse of privileged access rights, disciplinary measures are taken in accordance with HR-04. IDM-06 ¶ 3] | System hardening through configuration management | Detective | |
| Include the sanitization method in the disposal record. CC ID 17073 | Records management | Preventive | |
| Include time information in the disposal record. CC ID 17072 | Records management | Preventive | |
| Log the number of non-routine items received into the recordkeeping system. CC ID 11706 | Records management | Preventive | |
| Log performance monitoring into the recordkeeping system. CC ID 11724 [The top management of the Cloud Service Provider is regularly informed about the information security performance within the scope of the ISMS in order to ensure its continued suitability, adequacy and effectiveness. The information is included in the management review of the ISMS at is performed at least once a year. COM-04 ¶ 1] | Records management | Preventive | |
| Log the disclosure of personal data. CC ID 06628 | Privacy protection for information and data | Preventive | |
| Log the modification of personal data. CC ID 11844 | Privacy protection for information and data | Preventive | |
| Log account access dates and report when dormant accounts suddenly exhibit unusual activity. CC ID 04874 | Privacy protection for information and data | Detective | |
| Log dates for account name changes or address changes. CC ID 04876 | Privacy protection for information and data | Detective | |
Maintenance | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Include a list of assets that were removed or replaced during maintenance in the maintenance report. CC ID 17088 | Operational management | Preventive | |
| Include a description of the maintenance performed in the maintenance report. CC ID 17087 | Operational management | Preventive | |
| Include roles and responsibilities in the maintenance report. CC ID 17086 | Operational management | Preventive | |
| Include the date and time of maintenance in the maintenance report. CC ID 17085 | Operational management | Preventive | |
| Conduct offsite maintenance in authorized facilities. CC ID 16473 | Operational management | Preventive | |
| Disconnect non-volatile media from information systems prior to performing maintenance with uncleared personnel. CC ID 14295 | Operational management | Preventive | |
| Sanitize volatile media in information systems prior to performing maintenance with uncleared personnel. CC ID 14291 | Operational management | Preventive | |
| Restart systems on a periodic basis. CC ID 16498 | Operational management | Preventive | |
| Remove components being serviced from the information system prior to performing maintenance. CC ID 14251 | Operational management | Preventive | |
Monitor and Evaluate Occurrences | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Include the capturing and alerting of account activity in the notification system. CC ID 15314 | Leadership and high level objectives | Preventive | |
| Analyze organizational objectives, functions, and activities. CC ID 00598 | Leadership and high level objectives | Preventive | |
| Monitor the usage and capacity of critical assets. CC ID 14825 | Monitoring and measurement | Detective | |
| Monitor the usage and capacity of Information Technology assets. CC ID 00668 [Ensure proper and regular operation, including appropriate measures for planning and monitoring capacity, protection against malware, logging and monitoring events, and dealing with vulnerabilities, malfunctions and failures. Section 5.6 Objective] | Monitoring and measurement | Detective | |
| Monitor systems for errors and faults. CC ID 04544 [The execution of data backups is monitored by technical and organisational measures. Malfunctions are investigated by qualified staff and rectified promptly to ensure compliance with contractual obligations to cloud customers or the Cloud Service Provider's business requirements regarding the scope and frequency of data backup and the duration of storage. OPS-07 ¶ 1 The Cloud Service Provider validates the functionality of the SDN functions before providing new SDN features to cloud users or modifying existing SDN features. Identified defects are assessed and corrected in a risk-oriented manner. PSS-10 ¶ 2] | Monitoring and measurement | Detective | |
| Monitor systems for inappropriate usage and other security violations. CC ID 00585 [If separation cannot be established for organisational or technical reasons, measures are in place to monitor the activities in order to detect unauthorised or unintended changes as well as misuse and to take appropriate actions. OIS-04 ¶ 3 Activities of users with privileged access rights are logged in order to detect any misuse of privileged access in suspicious cases. The logged information is automatically monitored for defined events that may indicate misuse. When such an event is identified, the responsible personnel are automatically informed so that they can promptly assess whether misuse has occurred and take corresponding action. In the event of proven misuse of privileged access rights, disciplinary measures are taken in accordance with HR-04. IDM-06 ¶ 3] | Monitoring and measurement | Detective | |
| Monitor systems for Denial of Service attacks. CC ID 01222 [Based on the results of a risk analysis carried out according to OIS-06, the Cloud Service Provider has implemented technical safeguards which are suitable to promptly detect and respond to network-based attacks on the basis of irregular incoming or outgoing traffic patterns and/ or Distributed Denial of Service (DDoS) attacks. Data from corresponding technical protection measures implemented is fed into a comprehensive SIEM (Security Information and Event Management) system, so that (counter) measures regarding correlating events can be initiated. The safeguards are documented, communicated and provided in accordance with SP-01. COS-01 ¶ 1] | Monitoring and measurement | Detective | |
| Detect unauthorized access to systems. CC ID 06798 [The security measures are designed to detect and prevent unauthorised access so that the information security of the cloud service is not compromised. PS-03 ¶ 2] | Monitoring and measurement | Detective | |
| Monitor and evaluate system performance. CC ID 00651 [The procedures for monitoring compliance with the requirements are supplemented by automatic procedures relating to the following aspects: Performance and availability of system components; SSO-04 ¶ 5 Bullet 2] | Monitoring and measurement | Detective | |
| Monitor for and react to when suspicious activities are detected. CC ID 00586 [If separation cannot be established for organisational or technical reasons, measures are in place to monitor the activities in order to detect unauthorised or unintended changes as well as misuse and to take appropriate actions. OIS-04 ¶ 3 Based on the results of a risk analysis carried out according to OIS-06, the Cloud Service Provider has implemented technical safeguards which are suitable to promptly detect and respond to network-based attacks on the basis of irregular incoming or outgoing traffic patterns and/ or Distributed Denial of Service (DDoS) attacks. Data from corresponding technical protection measures implemented is fed into a comprehensive SIEM (Security Information and Event Management) system, so that (counter) measures regarding correlating events can be initiated. The safeguards are documented, communicated and provided in accordance with SP-01. COS-01 ¶ 1] | Monitoring and measurement | Detective | |
| Establish, implement, and maintain network monitoring operations. CC ID 16444 [{risk assess} The entirety of the conception and configuration undertaken to monitor the connections mentioned is assessed in a risk-oriented manner, at least annually, with regard to the resulting security requirements. COS-03 ¶ 2] | Monitoring and measurement | Preventive | |
| Monitor and review retail payment activities, as necessary. CC ID 13541 | Monitoring and measurement | Detective | |
| Implement file integrity monitoring. CC ID 01205 [At startup and runtime of virtual machine or container images, an integrity check is performed that detects image manipulations and reports them to the cloud customer. PSS-11 ¶ 2] | Monitoring and measurement | Detective | |
| Monitor for software configurations updates absent authorization. CC ID 10676 [{malware} The configuration of the protection mechanisms is monitored automatically. Deviations from the specifications are automatically reported to the subject matter experts so that the deviations are immediately assessed and the necessary measures taken. OPS-05 ¶ 2] | Monitoring and measurement | Preventive | |
| Log account usage durations. CC ID 12117 | Monitoring and measurement | Detective | |
| Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726 [The appropriate and effective verification of implementation is carried out in accordance with the criteria for controlling and monitoring subcontractors (cf. SSO-01, SSO-02). PS-01 ¶ 4 The Cloud Service Provider monitors compliance with information security requirements and applicable legal and regulatory requirements in accordance with policies and instructions concerning controlling and monitoring of third-parties. SSO-04 ¶ 1] | Monitoring and measurement | Detective | |
| Enforce information flow control. CC ID 11781 | Technical security | Preventive | |
| Monitor for evidence of when tampering indicators are being identified. CC ID 11905 | Physical and environmental protection | Detective | |
| Inspect for tampering, as necessary. CC ID 10640 [{power distributor} Protection of power supply and telecommunications lines against interruption, interference, damage and eavesdropping. The protection is checked regularly, but at least every two years, as well as in case of suspected manipulation by qualified personnel regarding the following aspects: Traces of violent attempts to open closed distributors; PS-06 ¶ 1(d) Bullet 1] | Physical and environmental protection | Detective | |
| Escort uncleared personnel who need to work in or access controlled access areas. CC ID 00747 [The requirements for the access control system are documented, communicated and provided in a policy or concept in accordance with SP-01 and include the following aspects: Visitors and external personnel are tracked individually by the access control during their work in the premises and buildings, identified as such (e.g. by visible wearing of a visitor pass) and supervised during their stay; and PS-04 ¶ 3 Bullet 5] | Physical and environmental protection | Preventive | |
| Monitor for unauthorized physical access at physical entry points and physical exit points. CC ID 01638 [The operating parameters of the technical utilities (cf. PS-06) and the environmental parameters of the premises and buildings related to the cloud service provided are monitored and controlled in accordance with the security requirements of the Cloud Service Provider (cf. PS-01 Security Concept). When the permitted control range is exceeded, the responsible departments of the Cloud-Provider are automatically informed in order to promptly initiate the necessary measures for return to the control range. PS-07 ¶ 1] | Physical and environmental protection | Detective | |
| Log the exit of a staff member to a facility or designated rooms within the facility. CC ID 11675 | Physical and environmental protection | Preventive | |
| Observe restricted areas with motion detectors or closed-circuit television systems. CC ID 01328 [{video surveillance camera} {burglar alarm} The security measures installed at the site include permanently present security personnel (at least 2 individuals), video surveillance and anti-burglary systems. PS-03 ¶ 5 {be insufficient} The security requirements for data centres are based on criteria which comply with established rules of technology. They are suitable for addressing the following risks in accordance with the applicable legal and contractual requirements: Insufficient surveillance; PS-01 ¶ 2 Bullet 3] | Physical and environmental protection | Detective | |
| Install and maintain an environment control monitoring system. CC ID 06370 [The environmental parameters are monitored. When the permitted control range is exceeded, alarm messages are generated and forwarded to the Cloud Service Provider's subject matter experts. PS-05 ¶ 2 The operating parameters of the technical utilities (cf. PS-06) and the environmental parameters of the premises and buildings related to the cloud service provided are monitored and controlled in accordance with the security requirements of the Cloud Service Provider (cf. PS-01 Security Concept). When the permitted control range is exceeded, the responsible departments of the Cloud-Provider are automatically informed in order to promptly initiate the necessary measures for return to the control range. PS-07 ¶ 1 {cooling system} For a self-sufficient operation during a heat period, the highest outside temperatures measured to date within a radius of at least 50 km around the locations of the premises and buildings have been determined with a safety margin of 3 K. The security requirements stipulate that the permissible operating and environmental parameters of the cooling supply must also be observed on at least five consecutive days with these outside temperatures including the safety margin (cf. PS-06 Protection against failure of the supply facilities). PS-01 ¶ 7 {duration} If water is taken from a river for air conditioning, it is determined at which water levels and water temperatures the air conditioning can be maintained for how long. PS-01 ¶ 8] | Physical and environmental protection | Detective | |
| Monitor and measure the effectiveness of security awareness. CC ID 06262 [{security awareness and training program} {quantitative factor} {qualitative factor} The learning outcomes achieved through the awareness and training programme are measured and evaluated in a target group-oriented manner. The measurements cover quantitative and qualitative aspects. The results are used to improve the awareness and training programme. HR-03 ¶ 2] | Human Resources management | Detective | |
| Include continuous monitoring for conflicts of interest in the conflict of interest policy. CC ID 17190 | Human Resources management | Preventive | |
| Monitor managing cloud services. CC ID 13150 [{technical safeguard} Technical and organisational safeguards for the monitoring and provisioning and de-provisioning of cloud services are defined. Thus, the Cloud Service Provider ensures that resources are provided and/or services are rendered according to the contractual agreements and that compliance with the service level agreements is ensured. OPS-02 ¶ 1 The Cloud Service Provider creates regular reports on the checks performed, which are reviewed and analysed by authorised bodies or committees. Policies and instructions describe the technical measures taken to securely configure and monitor the management console (both the customer's self-service and the service provider's cloud administration) to protect it from malware. Updates are applied at the highest frequency that the vendor(s) contractually offer(s). OPS-04 ¶ 2 The Cloud Service Provider has established policies and instructions that govern the logging and monitoring of events on system components within its area of responsibility. These policies and instructions are documented, communicated and provided according to SP-01 with respect to the following aspects: OPS-10 ¶ 1 Ensure the protection of information that service providers or suppliers of the Cloud Service Provider (subcontractors) can access and monitor the agreed services and security requirements. Section 5.12 Objective] | Operational management | Detective | |
| Require personnel to monitor for and report known or suspected compromise of assets. CC ID 16453 | Operational management | Detective | |
| Require personnel to monitor for and report suspicious account activity. CC ID 16462 | Operational management | Detective | |
| Respond to and triage when an incident is detected. CC ID 06942 [Identified violations and deviations are subjected to analysis, evaluation and treatment in accordance with the risk management procedure (cf. OIS-07). SSO-04 ¶ 4 Subject matter experts of the Cloud Service Provider, together with external security providers where appropriate, classify, prioritise and perform root-cause analyses for events that could constitute a security incident. SIM-02 ¶ 1 The Cloud Service Provider defines guidelines for the classification, prioritisation and escalation of security incidents and creates interfaces to the incident management and business continuity management. SIM-01 ¶ 2] | Operational management | Detective | |
| Escalate incidents, as necessary. CC ID 14861 | Operational management | Corrective | |
| Establish, implement, and maintain data input and data access authorization tracking. CC ID 00920 [{security-related information} The information is detailed enough to allow cloud users to check the following aspects, insofar as they are applicable to the cloud service: Changes to security-relevant configuration parameters, error handling and logging mechanisms, user authentication, action authorisation, cryptography, and communication security. PSS-04 ¶ 2 Bullet 3] | Records management | Detective | |
| Identify potential red flags to alert the organization before a data leakage has occurred. CC ID 04654 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain suspicious user account activity procedures. CC ID 04854 | Privacy protection for information and data | Detective | |
| Report fraudulent account activity, unauthorized transactions, or discrepancies with current accounts. CC ID 04875 | Privacy protection for information and data | Corrective | |
| Review accounts that are changed for additional user requests. CC ID 11846 | Privacy protection for information and data | Detective | |
| Review monitored websites for data leakage. CC ID 10593 | Privacy protection for information and data | Detective | |
| Include personal data that is encrypted or redacted as an out of scope privacy breach. CC ID 04679 | Privacy protection for information and data | Preventive | |
| Include cryptographic keys not being accessed during a privacy breach as an out of scope privacy breach. CC ID 04761 | Privacy protection for information and data | Preventive | |
| Include any personal data that is on an encrypted mobile device as an out of scope privacy breach, if the encryption keys were not accessed and the mobile device was recovered. CC ID 04762 | Privacy protection for information and data | Preventive | |
| Monitor third parties for performance and effectiveness, as necessary. CC ID 00799 [Monitoring includes a regular review of the following evidence to the extent that such evidence is to be provided by third parties in accordance with the contractual agreements: reports on the quality of the service provided; SSO-04 ¶ 2 Bullet 1 The frequency of the monitoring corresponds to the classification of the third party based on the risk assessment conducted by the Cloud Service Provider (cf. SSO-02). The results of the monitoring are included in the review of the third party's risk assessment. SSO-04 ¶ 3] | Third Party and supply chain oversight | Detective | |
| Monitor third parties' financial conditions. CC ID 13170 | Third Party and supply chain oversight | Detective | |
Physical and Environmental Protection | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Protect facilities from eavesdropping. CC ID 02222 [{power supply facility} Measures to prevent the failure of the technical supply facilities required for the operation of system components with which information from cloud customers is processed, are documented and set up in accordance with the security requirements of the Cloud Service Provider (cf. PS-01 Security Concept) with respect to the following aspects: Protection of power supply and telecommunications lines against interruption, interference, damage and eavesdropping. The protection is checked regularly, but at least every two years, as well as in case of suspected manipulation by qualified personnel regarding the following aspects: PS-06 ¶ 1(d)] | Physical and environmental protection | Preventive | |
| Inspect telephones for eavesdropping devices. CC ID 02223 | Physical and environmental protection | Detective | |
| Hold conferences requiring sensitive information discussions in spaces that have commensurate security. CC ID 11440 | Physical and environmental protection | Preventive | |
| Provide one-time meeting support for discussions involving Top Secret information. CC ID 11441 | Physical and environmental protection | Preventive | |
| Create security zones in facilities, as necessary. CC ID 16295 | Physical and environmental protection | Preventive | |
| Maintain all security alarm systems. CC ID 11669 [{video surveillance camera} {burglar alarm} The security measures installed at the site include permanently present security personnel (at least 2 individuals), video surveillance and anti-burglary systems. PS-03 ¶ 5] | Physical and environmental protection | Preventive | |
| Control physical access to (and within) the facility. CC ID 01329 [Prevent unauthorised physical access and protect against theft, damage, loss and outage of operations. Section 5.5 Objective The operating parameters of the technical utilities (cf. PS-06) and the environmental parameters of the premises and buildings related to the cloud service provided are monitored and controlled in accordance with the security requirements of the Cloud Service Provider (cf. PS-01 Security Concept). When the permitted control range is exceeded, the responsible departments of the Cloud-Provider are automatically informed in order to promptly initiate the necessary measures for return to the control range. PS-07 ¶ 1] | Physical and environmental protection | Preventive | |
| Configure the access control system to grant access only during authorized working hours. CC ID 12325 | Physical and environmental protection | Preventive | |
| Issue photo identification badges to all employees. CC ID 12326 | Physical and environmental protection | Preventive | |
| Report lost badges, stolen badges, and broken badges to the Security Manager. CC ID 12334 | Physical and environmental protection | Preventive | |
| Include name, date of entry, and validity period on disposable identification cards or badges. CC ID 12331 | Physical and environmental protection | Preventive | |
| Enforce dual control for badge assignments. CC ID 12328 | Physical and environmental protection | Preventive | |
| Enforce dual control for accessing unassigned identification cards or badges. CC ID 12327 | Physical and environmental protection | Preventive | |
| Refrain from imprinting the company name or company logo on identification cards or badges. CC ID 12282 | Physical and environmental protection | Preventive | |
| Use vandal resistant light fixtures for all security lighting. CC ID 16130 | Physical and environmental protection | Preventive | |
| Implement physical security standards for mainframe rooms or data centers. CC ID 00749 [The security requirements for data centres are based on criteria which comply with established rules of technology. They are suitable for addressing the following risks in accordance with the applicable legal and contractual requirements: Unauthorised access; PS-01 ¶ 2 Bullet 2] | Physical and environmental protection | Preventive | |
| Establish and maintain equipment security cages in a shared space environment. CC ID 06711 | Physical and environmental protection | Preventive | |
| Secure systems in lockable equipment cabinets, as necessary. CC ID 06716 | Physical and environmental protection | Preventive | |
| Lock all lockable equipment cabinets. CC ID 11673 | Physical and environmental protection | Detective | |
| Physically segregate business areas in accordance with organizational standards. CC ID 16718 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain physical security controls for distributed assets. CC ID 00718 [Prevent unauthorised physical access and protect against theft, damage, loss and outage of operations. Section 5.5 Objective] | Physical and environmental protection | Preventive | |
| Use locked containers to transport non-digital media outside of controlled areas. CC ID 14286 | Physical and environmental protection | Preventive | |
| Protect distributed assets against theft. CC ID 06799 [Prevent unauthorised physical access and protect against theft, damage, loss and outage of operations. Section 5.5 Objective] | Physical and environmental protection | Preventive | |
| Include the use of privacy filters in the mobile device security guidelines. CC ID 16452 | Physical and environmental protection | Preventive | |
| Separate systems that transmit, process, or store restricted data from those that do not by deploying physical access controls. CC ID 00722 [{physical separation} In the case of IaaS/PaaS, the secure segregation is ensured by physically separated networks or by means of strongly encrypted VLANs. For the definition of strong encryption, the BSI Technical Guideline TR-02102 must be considered. COS-06 ¶ 2] | Physical and environmental protection | Preventive | |
| Protect customer property under the care of the organization. CC ID 11685 | Physical and environmental protection | Preventive | |
| Provide storage media shelving capable of bearing all potential loads. CC ID 11400 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain an environmental control program. CC ID 00724 | Physical and environmental protection | Preventive | |
| Protect power equipment and power cabling from damage or destruction. CC ID 01438 [{power supply facility} Measures to prevent the failure of the technical supply facilities required for the operation of system components with which information from cloud customers is processed, are documented and set up in accordance with the security requirements of the Cloud Service Provider (cf. PS-01 Security Concept) with respect to the following aspects: Protection of power supply and telecommunications lines against interruption, interference, damage and eavesdropping. The protection is checked regularly, but at least every two years, as well as in case of suspected manipulation by qualified personnel regarding the following aspects: PS-06 ¶ 1(d) {power supply facility} Measures to prevent the failure of the technical supply facilities required for the operation of system components with which information from cloud customers is processed, are documented and set up in accordance with the security requirements of the Cloud Service Provider (cf. PS-01 Security Concept) with respect to the following aspects: Protection of power supply and telecommunications lines against interruption, interference, damage and eavesdropping. The protection is checked regularly, but at least every two years, as well as in case of suspected manipulation by qualified personnel regarding the following aspects: PS-06 ¶ 1(d)] | Physical and environmental protection | Preventive | |
| Design the Information Technology facility with consideration given to natural disasters and man-made disasters. CC ID 00712 | Physical and environmental protection | Preventive | |
| Build critical facilities according to applicable building codes. CC ID 06366 [The structural shell of premises and buildings related to the cloud service provided are physically solid and protected by adequate security measures that meet the security requirements of the Cloud Service Provider (cf. PS-01 Security Concept). PS-03 ¶ 1 The outer doors, windows and other construction elements exhibit an appropriate security level and withstand a burglary attempt for at least 10 minutes. PS-03 ¶ 3] | Physical and environmental protection | Preventive | |
| Build critical facilities with fire resistant materials. CC ID 06365 | Physical and environmental protection | Preventive | |
| Build critical facilities with materials that limit electromagnetic interference. CC ID 16131 | Physical and environmental protection | Preventive | |
| Build critical facilities with water-resistant materials. CC ID 11679 | Physical and environmental protection | Preventive | |
| Install and maintain smoke control systems. CC ID 17291 [Premises and buildings related to the cloud service provided are protected from fire and smoke by structural, technical and organisational measures that meet the security requirements of the Cloud Service Provider (cf. PS-01 Security Concept) and include the following aspects: PS-05 ¶ 1] | Physical and environmental protection | Preventive | |
| Install and maintain fire alarm systems. CC ID 17267 [Premises and buildings related to the cloud service provided are protected from fire and smoke by structural, technical and organisational measures that meet the security requirements of the Cloud Service Provider (cf. PS-01 Security Concept) and include the following aspects: Fire alarm system with reporting to the local fire department. PS-05 ¶ 1(b) Bullet 3] | Physical and environmental protection | Preventive | |
| Conduct periodic fire marshal inspections for all organizational facilities. CC ID 04888 [Premises and buildings related to the cloud service provided are protected from fire and smoke by structural, technical and organisational measures that meet the security requirements of the Cloud Service Provider (cf. PS-01 Security Concept) and include the following aspects: Regular fire protection inspections to check compliance with fire protection requirements; and PS-05 ¶ 1(c) Bullet 1] | Physical and environmental protection | Preventive | |
| Install and maintain fire-retarding divisions such as fire doors in accordance with applicable building codes. CC ID 06362 [Premises and buildings related to the cloud service provided are protected from fire and smoke by structural, technical and organisational measures that meet the security requirements of the Cloud Service Provider (cf. PS-01 Security Concept) and include the following aspects: Establishment of fire sections with a fire resistance duration of at least 90 minutes for all structural parts. PS-05 ¶ 1(a) ¶ 1] | Physical and environmental protection | Preventive | |
| Install and maintain Emergency Power Supply shutdown devices or Emergency Power Supply shutdown switches. CC ID 01439 | Operational and Systems Continuity | Preventive | |
| Install and maintain dedicated power lines to critical facilities. CC ID 06357 | Operational and Systems Continuity | Preventive | |
| Install electro-magnetic shielding around all electrical cabling. CC ID 06358 | Operational and Systems Continuity | Preventive | |
| Install electrical grounding equipment. CC ID 06359 | Operational and Systems Continuity | Preventive | |
| Separate the alternate facility from the primary facility through geographic separation. CC ID 01394 [{separate} The cloud service is provided from more than two locations that provide each other with redundancy. The locations are sufficiently far apart to achieve georedundancy. If two locations fail at the same time, at least one third location is still available to prevent a total service failure. The georedundancy is designed in a way that ensures that the availability requirements specified in the service level agreement are met. The functionality of the redundancy is checked at least annually by suitable tests and exercises (cf. BCM-04 – Verification, updating and testing of business continuity). PS-02 ¶ 2] | Operational and Systems Continuity | Preventive | |
| Protect clients' hosted environments. CC ID 11862 | Operational management | Preventive | |
| Plan and conduct maintenance so that it does not interfere with scheduled operations. CC ID 06389 [Policies and instructions for planning and conducting audits are documented, communicated and made available in accordance with SP-01 and address the following aspects: Activities that may result in malfunctions to the cloud service or breaches of contractual requirements are performed during scheduled maintenance windows or outside peak periods; and COM-02 ¶ 1 Bullet 2] | Operational management | Preventive | |
| Identify and authenticate appropriate parties prior to granting access to maintain assets. CC ID 11874 | Operational management | Preventive | |
| Refrain from protecting physical assets when no longer required. CC ID 13484 | Operational management | Corrective | |
| Store manufacturing components in a controlled access area. CC ID 12256 | Systems design, build, and implementation | Preventive | |
Process or Activity | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain a corrective action plan to address barriers to stakeholder engagement. CC ID 15677 | Leadership and high level objectives | Preventive | |
| Identify barriers to stakeholder engagement. CC ID 15676 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain an oversight team. CC ID 17303 | Leadership and high level objectives | Preventive | |
| Review and approve the use of continuous security management systems. CC ID 13181 | Monitoring and measurement | Preventive | |
| Include the correlation and analysis of information obtained during testing in the continuous monitoring program. CC ID 14250 | Monitoring and measurement | Detective | |
| Identify risk management measures when testing in scope systems. CC ID 14960 | Monitoring and measurement | Detective | |
| Request an extension of the validity period of technical documentation assessment certificates, as necessary. CC ID 17228 | Monitoring and measurement | Preventive | |
| Define the validity period for technical documentation assessment certificates. CC ID 17227 | Monitoring and measurement | Preventive | |
| Ensure protocols are free from injection flaws. CC ID 16401 | Monitoring and measurement | Preventive | |
| Approve the vulnerability management program. CC ID 15722 | Monitoring and measurement | Preventive | |
| Correct compliance violations. CC ID 13515 | Monitoring and measurement | Corrective | |
| Mitigate the threats to an auditor's independence. CC ID 17282 | Audits and risk management | Preventive | |
| Refrain from approving changes to the audit terms absent reasonable justification. CC ID 13973 | Audits and risk management | Preventive | |
| Determine the effect of fraud and non-compliance on the description of the system in the audit assertion, as necessary. CC ID 13977 | Audits and risk management | Detective | |
| Determine the effect of fraud and non-compliance on the achievement of in scope controls in the audit assertion, as necessary. CC ID 13978 | Audits and risk management | Detective | |
| Review documentation to determine the effectiveness of in scope controls. CC ID 16522 | Audits and risk management | Preventive | |
| Coordinate the scheduling of interviews. CC ID 16293 | Audits and risk management | Preventive | |
| Create a schedule for the interviews. CC ID 16292 | Audits and risk management | Preventive | |
| Identify interviewees. CC ID 16290 | Audits and risk management | Preventive | |
| Discuss unsolved questions with the interviewee. CC ID 16298 | Audits and risk management | Detective | |
| Allow interviewee to respond to explanations. CC ID 16296 | Audits and risk management | Detective | |
| Explain the requirements being discussed to the interviewee. CC ID 16294 | Audits and risk management | Detective | |
| Explain the testing results to the interviewee. CC ID 16291 | Audits and risk management | Preventive | |
| Withdraw from the audit, when defined conditions exist. CC ID 13885 | Audits and risk management | Corrective | |
| Engage subject matter experts when the auditor requires additional expertise during an attestation engagement, as necessary. CC ID 13971 | Audits and risk management | Preventive | |
| Determine the effect of fraud and non-compliance on the audit report, as necessary. CC ID 13979 | Audits and risk management | Detective | |
| Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830 | Audits and risk management | Preventive | |
| Assess the potential level of business impact risk associated with the loss of personnel. CC ID 17172 | Audits and risk management | Detective | |
| Assess the potential level of business impact risk associated with individuals. CC ID 17170 | Audits and risk management | Detective | |
| Assess the potential level of business impact risk associated with non-compliance. CC ID 17169 | Audits and risk management | Detective | |
| Assess the potential level of business impact risk associated with the natural environment. CC ID 17171 | Audits and risk management | Detective | |
| Approve the risk acceptance level, as necessary. CC ID 17168 | Audits and risk management | Preventive | |
| Implement digital identification processes. CC ID 13731 | Technical security | Preventive | |
| Implement identity proofing processes. CC ID 13719 | Technical security | Preventive | |
| Validate proof of identity during the identity proofing process. CC ID 13756 | Technical security | Detective | |
| Refrain from using knowledge-based authentication to verify an individual's identity against more than one proof of identity during the identity proofing process. CC ID 13784 | Technical security | Detective | |
| Establish, implement, and maintain a secure enrollment process for biometric systems. CC ID 17007 | Technical security | Preventive | |
| Enforce the network segmentation requirements. CC ID 16381 | Technical security | Preventive | |
| Use a passive asset inventory discovery tool to identify assets when network mapping. CC ID 13735 | Technical security | Detective | |
| Use an active asset inventory discovery tool to identify sensitive information for data flow diagrams. CC ID 13737 | Technical security | Detective | |
| Remove malware when malicious code is discovered. CC ID 13691 | Technical security | Corrective | |
| Implement physical identification processes. CC ID 13715 | Physical and environmental protection | Preventive | |
| Refrain from using knowledge-based authentication for in-person identity verification. CC ID 13717 | Physical and environmental protection | Preventive | |
| Restrict physical access mechanisms to authorized parties. CC ID 16924 | Physical and environmental protection | Preventive | |
| Remote wipe any distributed asset reported lost or stolen. CC ID 12197 | Physical and environmental protection | Corrective | |
| Include a "Return to Sender" text file on mobile devices. CC ID 17075 | Physical and environmental protection | Preventive | |
| Remove dormant systems from the network, as necessary. CC ID 13727 | Physical and environmental protection | Corrective | |
| Conduct fire drills, as necessary. CC ID 13985 [Premises and buildings related to the cloud service provided are protected from fire and smoke by structural, technical and organisational measures that meet the security requirements of the Cloud Service Provider (cf. PS-01 Security Concept) and include the following aspects: Regular fire protection exercises. PS-05 ¶ 1(c) Bullet 2] | Physical and environmental protection | Preventive | |
| Employ environmental protections. CC ID 12570 | Physical and environmental protection | Preventive | |
| Coordinate continuity planning with governmental entities, as necessary. CC ID 13258 | Operational and Systems Continuity | Preventive | |
| Coordinate continuity planning with community organizations, as necessary. CC ID 13259 | Operational and Systems Continuity | Preventive | |
| Perform backup procedures for in scope systems. CC ID 11692 [Interfaces are available to conduct forensic analyses and perform backups of infrastructure components and their network communication. OPS-15 ¶ 2 Interfaces are available to conduct forensic analyses and perform backups of infrastructure components and their network communication. OPS-15 ¶ 2] | Operational and Systems Continuity | Preventive | |
| Include all residences in the criminal records check. CC ID 13306 | Human Resources management | Preventive | |
| Establish, implement, and maintain a migration process and/or strategy to transfer systems from one asset to another. CC ID 16384 | Operational management | Preventive | |
| Define and enforce the deployment requirements for applications and virtual network devices in a public cloud. CC ID 16383 | Operational management | Preventive | |
| Approve the information security policy at the organization's management level or higher. CC ID 11737 [{information security policy} Revised policies and instructions are approved before they become effective. SP-02 ¶ 3 {information security policy} The policies and instructions are version controlled and approved by the top management of the Cloud Service Provider or an authorised body. SP-01 ¶ 2] | Operational management | Preventive | |
| Define thresholds for approving information security activities in the information security program. CC ID 15702 | Operational management | Preventive | |
| Coordinate alternate congestion management actions with affected parties. CC ID 17136 | Operational management | Preventive | |
| Include actions to prevent system operating limit exceedances in the operational control procedures. CC ID 17138 | Operational management | Preventive | |
| Establish, implement, and maintain an outage coordination process. CC ID 17161 | Operational management | Preventive | |
| Coordinate outages with affected parties. CC ID 17160 | Operational management | Preventive | |
| Coordinate energy resource management with affected parties. CC ID 17150 | Operational management | Preventive | |
| Coordinate the control of voltage with affected parties. CC ID 17149 | Operational management | Preventive | |
| Coordinate energy shortages with affected parties. CC ID 17148 | Operational management | Preventive | |
| Approve or deny requests in a timely manner. CC ID 17095 | Operational management | Preventive | |
| Use systems in accordance with the standard operating procedures manual. CC ID 15049 | Operational management | Preventive | |
| Provide support for information sharing activities. CC ID 15644 | Operational management | Preventive | |
| Establish, implement, and maintain consequences for non-compliance with the organizational compliance framework. CC ID 11747 [In contractual agreements (e.g. service description), the Cloud Service Provider provides comprehensible, binding and transparent information on: Legal consequences of non-compliance. BC-02 ¶ 1 Bullet 5] | Operational management | Corrective | |
| Restrict unscheduled downtime in order to maintain high availability for critical systems. CC ID 12742 [The maximum tolerable downtimes of utility facilities are suitable for meeting the availability requirements contained in the service level agreement. PS-01 ¶ 9] | Operational management | Preventive | |
| Establish, implement, and maintain compensating controls for system components when third party support is no longer available. CC ID 17174 | Operational management | Preventive | |
| Implement automated mechanisms to transfer predictive maintenance data to a maintenance management system. CC ID 10616 | Operational management | Preventive | |
| Determine the cost of the incident when assessing security incidents. CC ID 17188 | Operational management | Detective | |
| Determine the duration of unscheduled downtime when assessing security incidents CC ID 17182 [Policies and instructions to determine the impact of any malfunction to the cloud service or enterprise are documented, communicated and made available in accordance with SP-01. The following aspects are considered as minimum: Determination of the maximum acceptable duration of malfunctions; BCM-02 ¶ 1 Bullet 6] | Operational management | Detective | |
| Determine the duration of the incident when assessing security incidents. CC ID 17181 | Operational management | Detective | |
| Include support from law enforcement authorities when conducting incident response activities, as necessary. CC ID 13197 | Operational management | Corrective | |
| Coordinate incident response activities with interested personnel and affected parties. CC ID 13196 [The Cloud Service Provider periodically informs the cloud customer on the status of incidents affecting the cloud customer, or, where appropriate and necessary, involve the customer in the resolution, in a manner consistent with the contractual agreements. OPS-21 ¶ 1 {incident response report} The customer can either actively approve solutions or the solution is automatically approved after a certain period. SIM-03 ¶ 2 The Cloud Service Provider defines guidelines for the classification, prioritisation and escalation of security incidents and creates interfaces to the incident management and business continuity management. SIM-01 ¶ 2] | Operational management | Corrective | |
| Revoke the written request to delay the notification. CC ID 16843 | Operational management | Preventive | |
| Post the incident response notification on the organization's website. CC ID 16809 | Operational management | Preventive | |
| Document the determination for providing a substitute incident response notification. CC ID 16841 | Operational management | Preventive | |
| Perform emergency changes, as necessary. CC ID 12707 [Policies and instructions with technical and organisational safeguards for change management of system components of the cloud service within the scope of software deployment are documented, communicated and provided according to SP-01 with regard to the following aspects: Requirements for the implementation and documentation of emergency changes that must comply with the same level of security as normal changes. DEV-03 ¶ 1 Bullet 6] | Operational management | Preventive | |
| Back up emergency changes after the change has been performed. CC ID 12734 | Operational management | Preventive | |
| Conduct network certifications prior to approving change requests for networks. CC ID 13121 | Operational management | Detective | |
| Define the location requirements for network elements and network devices. CC ID 16379 | System hardening through configuration management | Preventive | |
| Remove dormant data from systems, as necessary. CC ID 13726 | Records management | Preventive | |
| Determine how long to keep records and logs before disposing them. CC ID 11661 [The requirements for the logging and monitoring of events and for the secure handling of metadata are implemented by technically supported procedures with regard to the following restrictions: Retention for the specified period; and OPS-12 ¶ 1 Bullet 2] | Records management | Preventive | |
| Define each system's disposition requirements for records and logs. CC ID 11651 [{appropriate format} The Cloud Service Provider retains the generated log data and keeps these in an appropriate, unchangeable and aggregated form, regardless of the source of such data, so that a central, authorised evaluation of the data is possible. Log data is deleted if it is no longer required for the purpose for which they were collected. OPS-14 ¶ 1] | Records management | Preventive | |
| Identify the components in a set of web pages that consistently have the same functionality. CC ID 15116 | Systems design, build, and implementation | Preventive | |
| Run sensitive workloads in Trusted Execution Environments. CC ID 16853 | Systems design, build, and implementation | Preventive | |
| Convert workflow charts and diagrams into machine readable code. CC ID 14865 | Systems design, build, and implementation | Preventive | |
| Document the results of the source code analysis. CC ID 14310 | Systems design, build, and implementation | Detective | |
| Digitally sign software components. CC ID 16490 | Systems design, build, and implementation | Preventive | |
| Provide the data subject with references to the appropriate safeguards used to protect the privacy of personal data. CC ID 12585 [In the system description, the Cloud Service Provider provides comprehensible and transparent information on how investigation enquiries by government agencies for access to or disclosure of cloud customer data are handled. The information includes the following aspects: whether the Cloud Service Provider has the ability to decrypt encrypted data of the cloud customers in case of such requests and how this ability for access or disclosure is used. BC-05 ¶ 1 Bullet 4] | Privacy protection for information and data | Preventive | |
| Provide the data subject with copies of the appropriate safeguards used to protect the privacy of personal data. CC ID 12608 | Privacy protection for information and data | Preventive | |
| Notify the data subject of the right to data portability. CC ID 12603 | Privacy protection for information and data | Preventive | |
| Provide the data subject with information about the right to erasure. CC ID 12602 | Privacy protection for information and data | Preventive | |
| Provide the supervisory authority with any information requested by the supervisory authority. CC ID 12606 [{be appropriate} Ensure appropriate handling of government investigation requests for legal review, information to cloud customers, and limitation of access to or disclosure of data. Section 5.16 Objective Access to or disclosure of cloud customer data in connection with government investigation requests is subject to the proviso that the Cloud Service Provider's legal assessment has shown that an applicable and valid legal basis exists and that the investigation request must be granted on that basis. INQ-03 ¶ 1] | Privacy protection for information and data | Preventive | |
| Allow affected third parties to consent or object to a data access request. CC ID 08704 | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would threaten facilities, property, transport, or communication systems as a reason for denial in the personal data request denial procedures. CC ID 08702 | Privacy protection for information and data | Preventive | |
| Include if the record would constitute an action for breach of a duty of confidence as a reason for denial in the personal data request denial procedures. CC ID 08700 | Privacy protection for information and data | Preventive | |
| Search the Internet for evidence of data leakage. CC ID 10419 | Privacy protection for information and data | Detective | |
| Alert appropriate personnel when data leakage is detected. CC ID 14715 | Privacy protection for information and data | Preventive | |
| Take appropriate action when a data leakage is discovered. CC ID 14716 | Privacy protection for information and data | Corrective | |
| Interview appropriate parties to validate consumer information. CC ID 16902 | Privacy protection for information and data | Preventive | |
| Use contact methods specified by the consumer for identity verification. CC ID 16878 | Privacy protection for information and data | Preventive | |
| Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 [{nondisclosure agreement} The requirements must be documented and reviewed at regular intervals (at least annually). If the review shows that the requirements need to be adapted, the non-disclosure or confidentiality agreements are updated. HR-06 ¶ 3 The agreements are to be accepted by external service providers and suppliers when the contract is agreed. The agreements must be accepted by internal employees of the Cloud Service Provider before authorisation to access data of cloud customers is granted. HR-06 ¶ 2] | Third Party and supply chain oversight | Detective | |
| Assess third parties' compliance environment during due diligence. CC ID 13134 | Third Party and supply chain oversight | Detective | |
Records Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Maintain vulnerability scan reports as organizational records. CC ID 12092 | Monitoring and measurement | Preventive | |
| Sanitize customer data from all shared resources upon agreement termination. CC ID 12175 [{alternate} Enable the ability to access the cloud service via other cloud services or IT systems of the cloud customers, to obtain the stored data at the end of the contractual relationship and to securely delete it from the Cloud Service Provider. Section 5.10 Objective] | Technical security | Preventive | |
| Control the transiting and internal distribution or external distribution of assets. CC ID 00963 [{acceptable use policy} Policies and instructions for acceptable use and safe handling of assets are documented, communicated and provided in accordance with SP-01 and address the following aspects of the asset lifecycle as applicable to the asset: Physical delivery and transport; AM-02 ¶ 1 Bullet 10] | Physical and environmental protection | Preventive | |
| Treat archive media as evidence. CC ID 00960 | Physical and environmental protection | Preventive | |
| Refrain from including exclusions that could affect business continuity. CC ID 12740 | Operational and Systems Continuity | Preventive | |
| Include source code in the asset inventory. CC ID 14858 | Operational management | Preventive | |
| Retain records in accordance with applicable requirements. CC ID 00968 [{appropriate format} The Cloud Service Provider retains the generated log data and keeps these in an appropriate, unchangeable and aggregated form, regardless of the source of such data, so that a central, authorised evaluation of the data is possible. Log data is deleted if it is no longer required for the purpose for which they were collected. OPS-14 ¶ 1 The Cloud Service Provider has established policies and instructions that govern the logging and monitoring of events on system components within its area of responsibility. These policies and instructions are documented, communicated and provided according to SP-01 with respect to the following aspects: Information regarding the purpose and retention period of the logs; OPS-10 ¶ 1 Bullet 3] | Records management | Preventive | |
| Remove and/or destroy records according to the records' retention event and retention period schedule. CC ID 06621 [The logged information is protected from unauthorised access and modification and can be deleted by the Cloud Customer. PSS-04 ¶ 3] | Records management | Preventive | |
| Establish, implement, and maintain a system storage log. CC ID 13532 | Records management | Preventive | |
| Capture the records required by organizational compliance requirements. CC ID 00912 | Records management | Detective | |
| Log records as being received into the recordkeeping system. CC ID 11696 | Records management | Preventive | |
| Refrain from destroying records being inspected or reviewed. CC ID 13015 | Privacy protection for information and data | Preventive | |
Systems Continuity | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Include escalation procedures in the business continuity policy. CC ID 17203 | Operational and Systems Continuity | Preventive | |
| Identify all stakeholders critical to the continuity of operations. CC ID 12741 | Operational and Systems Continuity | Detective | |
| Include affected party’s needs and interests in the scope of the continuity framework. CC ID 12698 | Operational and Systems Continuity | Preventive | |
| Coordinate continuity planning with other business units responsible for related plans. CC ID 01386 [The Cloud Service Provider defines guidelines for the classification, prioritisation and escalation of security incidents and creates interfaces to the incident management and business continuity management. SIM-01 ¶ 2 {take into account} Business continuity plans and contingency plans take the following aspects into account: Interfaces to Security Incident Management. BCM-03 ¶ 2 Bullet 8] | Operational and Systems Continuity | Preventive | |
| Evaluate all possible continuity risks and impacts as a part of the continuity framework. CC ID 06374 [Exit strategies are aligned with operational continuity plans and include the following aspects: Analysis of the potential costs, impacts, resources and timing of the transition of a purchased service to an alternative service provider or supplier; SSO-05 ¶ 2 Bullet 1] | Operational and Systems Continuity | Detective | |
| Include the in scope system's location in the continuity plan. CC ID 16246 | Operational and Systems Continuity | Preventive | |
| Include the system description in the continuity plan. CC ID 16241 | Operational and Systems Continuity | Preventive | |
| Restore systems and environments to be operational. CC ID 13476 [Policies and instructions for data backup and recovery are documented, communicated and provided in accordance with SP-01 regarding the following aspects. Access to the backed-up data and the execution of restores is performed only by authorised persons; and OPS-06 ¶ 1 Bullet 3] | Operational and Systems Continuity | Corrective | |
| Include tolerance levels in the continuity plan. CC ID 17305 | Operational and Systems Continuity | Preventive | |
| Disseminate and communicate business functions across multiple facilities separated by geographic separation. CC ID 10662 | Operational and Systems Continuity | Preventive | |
| Identify and document critical facilities. CC ID 17304 | Operational and Systems Continuity | Preventive | |
| Identify telecommunication facilities critical to the continuity of operations. CC ID 12732 | Operational and Systems Continuity | Detective | |
| Document the mean time to failure for system components. CC ID 10684 [The time limits for self-sufficient operation provide for at least 48 hours in the event of a failure of the external power supply. PS-01 ¶ 6 {exceptional circumstance} {maximum tolerable downtime} The security requirements include time constraints for self-sufficient operation in the event of exceptional events (e.g. prolonged power outage, heat waves, low water in cold river water supply) and maximum tolerable utility downtime. PS-01 ¶ 5] | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain Recovery Time Objectives for all in scope services. CC ID 12241 [In contractual agreements (e.g. service description), the Cloud Service Provider provides comprehensible, binding and transparent information on: Recovery time (time elapsed until the incident has been resolved); and BC-02 ¶ 1 Bullet 4 The Cloud Service Provider provides subject matter experts of the cloud customers with comprehensible and transparent information on the following recovery parameters of the cloud service, if required: Maximum tolerable downtime/Recovery Time Objective (RTO) BC-03 ¶ 1 Bullet 1 The Cloud Service Provider provides subject matter experts of the cloud customers with comprehensible and transparent information on the following recovery parameters of the cloud service, if required: Restore time until normal operation BC-03 ¶ 1 Bullet 5] | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain Recovery Point Objectives for all in scope systems. CC ID 15719 [The Cloud Service Provider provides subject matter experts of the cloud customers with comprehensible and transparent information on the following recovery parameters of the cloud service, if required: Maximum allowable data loss/Recovery Point Objective (RPO) BC-03 ¶ 1 Bullet 2 {recovery level objective} The Cloud Service Provider provides subject matter experts of the cloud customers with comprehensible and transparent information on the following recovery parameters of the cloud service, if required: Recovery level (capacity related to regular operation) BC-03 ¶ 1 Bullet 4] | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain backup procedures for in scope systems. CC ID 01258 | Operational and Systems Continuity | Preventive | |
| Document the backup method and backup frequency on a case-by-case basis in the backup procedures. CC ID 01384 [Policies and instructions for data backup and recovery are documented, communicated and provided in accordance with SP-01 regarding the following aspects. The extent and frequency of data backups and the duration of data retention are consistent with the contractual agreements with the cloud customers and the Cloud Service Provider's operational continuity requirements for Recovery Time Objective (RTO) and Recovery Point Objective (RPO); OPS-06 ¶ 1 Bullet 1] | Operational and Systems Continuity | Preventive | |
| Store backup media in a fire-rated container which is not collocated with the operational system. CC ID 14289 | Operational and Systems Continuity | Preventive | |
| Approve the continuity plan test results. CC ID 15718 | Operational and Systems Continuity | Preventive | |
| Implement network redundancy, as necessary. CC ID 13048 [The connection to the telecommunications network is designed with sufficient redundancy so that the failure of a telecommunications network does not impair the security or performance of the Cloud Service Provider. PS-06 ¶ 4] | Operational management | Preventive | |
| Verify the organization has Emergency Power Supplies available for the systems. CC ID 01912 [{power supply facility} {emergency power solution} Measures to prevent the failure of the technical supply facilities required for the operation of system components with which information from cloud customers is processed, are documented and set up in accordance with the security requirements of the Cloud Service Provider (cf. PS-01 Security Concept) with respect to the following aspects: Use of appropriately sized uninterruptible power supplies (UPS) and emergency power systems (NEA), designed to ensure that all data remains undamaged in the event of a power failure. The functionality of UPS and NEA is checked at least annually by suitable tests and exercises (cf. BCM-04 – Verification, updating and testing of business continuity). PS-06 ¶ 1(b)] | System hardening through configuration management | Preventive | |
| Verify enough emergency power is available for a graceful shutdown if the primary power system fails. CC ID 01913 | System hardening through configuration management | Preventive | |
| Verify emergency power continuity procedures are in place to transfer power to a secondary source if the primary power system fails. CC ID 01914 | System hardening through configuration management | Preventive | |
| Refrain from placing excessive reliance on third parties that provide support for service continuity. CC ID 12768 [Exit strategies are aligned with operational continuity plans and include the following aspects: SSO-05 ¶ 2] | Third Party and supply chain oversight | Preventive | |
| Approve or deny third party recovery plans, as necessary. CC ID 17124 | Third Party and supply chain oversight | Preventive | |
| Review third party recovery plans. CC ID 17123 | Third Party and supply chain oversight | Detective | |
Systems Design, Build, and Implementation | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Implement gateways between security domains. CC ID 16493 | Technical security | Preventive | |
| Apply security controls to each level of the information classification standard. CC ID 01903 [{be risk-based} Policies and instructions with technical and organisational safeguards for encryption procedures and key management are documented, communicated and provided according to SP-01, in which the following aspects are described: Risk-based provisions for the use of encryption which are aligned with the information classification schemes (cf. AM-06) and consider the communication channel, type, strength and quality of the encryption; CRY-01 ¶ 1 Bullet 2] | Operational management | Preventive | |
| Validate the system before implementing approved changes. CC ID 01510 [The Cloud Service Provider validates the functionality of the authorisation mechanisms before new functions are made available to cloud users and in the event of changes to the authorisation mechanisms of existing functions (cf. DEV-06). The severity of identified vulnerabilities is assessed according to defined criteria based on industry standard metrics (e.g. Common Vulnerability Scoring System) and measures for timely resolution or mitigation are initiated. Vulnerabilities that have not been fixed are listed in the online register of known vulnerabilities (cf. PSS-02) PSS-09 ¶ 2] | Operational management | Preventive | |
| Establish, implement, and maintain traceability documentation. CC ID 16388 [{be up-to-date} The documentation of the logical structure of the network used to provision or operate the Cloud Service, is traceable and up-to-date, in order to avoid administrative errors during live operation and to ensure timely recovery in the event of malfunctions in accordance with contractual obligations. The documentation shows how the subnets are allocated and how the network is zoned and segmented. In addition, the geographical locations in which the cloud customers' data is stored are indicated. COS-07 ¶ 1] | Operational management | Preventive | |
| Initiate the System Development Life Cycle planning phase. CC ID 06266 | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain security design principles. CC ID 14718 | Systems design, build, and implementation | Preventive | |
| Include secure failure and recovery of systems or system components in the security design principles. CC ID 14744 [Ensure proper and regular operation, including appropriate measures for planning and monitoring capacity, protection against malware, logging and monitoring events, and dealing with vulnerabilities, malfunctions and failures. Section 5.6 Objective] | Systems design, build, and implementation | Preventive | |
| Establish and maintain System Development Life Cycle documentation. CC ID 12079 [{secure development} The policies and instructions contain guidelines for the entire life cycle of the cloud service and are based on recognised standards and methods with regard to the following aspects: DEV-01 ¶ 2] | Systems design, build, and implementation | Preventive | |
| Design the Software as a Service infrastructure to segment cloud customer user access. CC ID 12347 [Ensure the protection of information that service providers or suppliers of the Cloud Service Provider (subcontractors) can access and monitor the agreed services and security requirements. Section 5.12 Objective] | Systems design, build, and implementation | Preventive | |
| Obtain approval from appropriate parties for system design projects. CC ID 01033 [{acceptable use policy} Policies and instructions for acceptable use and safe handling of assets are documented, communicated and provided in accordance with SP-01 and address the following aspects of the asset lifecycle as applicable to the asset: Approval procedures for acquisition, commissioning, maintenance, decommissioning, and disposal by authorised personnel or system components; AM-02 ¶ 1 Bullet 1] | Systems design, build, and implementation | Preventive | |
| Separate the design and development environment from the production environment. CC ID 06088 [Production environments are physically or logically separated from test or development environments to prevent unauthorised access to cloud customer data, the spread of malware, or changes to system components. Data contained in the production environments is not used in test or development environments in order not to compromise their confidentiality. DEV-10 ¶ 1] | Systems design, build, and implementation | Preventive | |
| Initiate the System Development Life Cycle development phase or System Development Life Cycle build phase. CC ID 06267 | Systems design, build, and implementation | Preventive | |
| Develop systems in accordance with the system design specifications and system design standards. CC ID 01094 [{secure development} The policies and instructions contain guidelines for the entire life cycle of the cloud service and are based on recognised standards and methods with regard to the following aspects: Security in operation (reaction to identified faults and vulnerabilities). DEV-01 ¶ 2 Bullet 3 Policies and instructions with technical and organisational measures for the secure development of the cloud service are documented, communicated and provided in accordance with SP-01. DEV-01 ¶ 1] | Systems design, build, and implementation | Preventive | |
| Protect stored manufacturing components prior to assembly. CC ID 12248 | Systems design, build, and implementation | Preventive | |
| Develop new products based on best practices. CC ID 01095 [{secure development} The policies and instructions contain guidelines for the entire life cycle of the cloud service and are based on recognised standards and methods with regard to the following aspects: Security in Software Development (Requirements, Design, Implementation, Testing and Verification); DEV-01 ¶ 2 Bullet 1] | Systems design, build, and implementation | Preventive | |
| Include security requirements in the system design specification. CC ID 06826 [Ensure information security in the development cycle of information systems. Section 5.11 Objective] | Systems design, build, and implementation | Preventive | |
| Define the data elements to be stored on identification cards or badges in the identification card or badge architectural designs. CC ID 15427 | Systems design, build, and implementation | Preventive | |
| Include security measures in the identification card or badge architectural designs. CC ID 15423 | Systems design, build, and implementation | Preventive | |
| Implement data controls when developing systems. CC ID 15302 | Systems design, build, and implementation | Preventive | |
| Require dual authentication when switching out of PCI mode in the hardware security module. CC ID 12274 | Systems design, build, and implementation | Preventive | |
| Include an indicator to designate when the hardware security module is in PCI mode. CC ID 12273 | Systems design, build, and implementation | Preventive | |
| Design the random number generator to generate random numbers that are unpredictable. CC ID 12255 | Systems design, build, and implementation | Preventive | |
| Design the hardware security module to enforce the separation between applications. CC ID 12254 | Systems design, build, and implementation | Preventive | |
| Protect sensitive data when transiting sensitive services in the hardware security module. CC ID 12253 | Systems design, build, and implementation | Preventive | |
| Design the hardware security module to automatically clear its internal buffers of sensitive information prior to reuse of the buffer. CC ID 12233 | Systems design, build, and implementation | Preventive | |
| Design the hardware security module to automatically clear its internal buffers of sensitive information after it recovers from an error condition. CC ID 12252 | Systems design, build, and implementation | Preventive | |
| Design the hardware security module to automatically clear its internal buffers of sensitive information when it has timed out. CC ID 12251 | Systems design, build, and implementation | Preventive | |
| Design the hardware security module to erase sensitive data when compromised. CC ID 12275 | Systems design, build, and implementation | Preventive | |
| Restrict key-usage information for cryptographic keys in the hardware security module. CC ID 12232 | Systems design, build, and implementation | Preventive | |
| Prevent cryptographic keys in the hardware security module from making unauthorized changes to data. CC ID 12231 | Systems design, build, and implementation | Preventive | |
| Protect sensitive information within the hardware security module from unauthorized changes. CC ID 12225 | Systems design, build, and implementation | Preventive | |
| Prohibit sensitive functions from working outside of protected areas of the hardware security module. CC ID 12224 | Systems design, build, and implementation | Preventive | |
| Install secret information into the hardware security module during manufacturing. CC ID 12249 | Systems design, build, and implementation | Preventive | |
| Install secret information into the hardware security module so that it can only be verified by the initial-key-loading facility. CC ID 12272 | Systems design, build, and implementation | Preventive | |
| Install secret information under dual control into the hardware security module. CC ID 12257 | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain secure update mechanisms. CC ID 14923 | Systems design, build, and implementation | Preventive | |
| Implement cryptographic mechanisms to authenticate software updates before installation. CC ID 14925 | Systems design, build, and implementation | Preventive | |
| Automate secure update mechanisms, as necessary. CC ID 14933 [Assets provided by the Cloud Service Provider, which must be installed, provided or operated by cloud users within their area of responsibility, are equipped with automatic update mechanisms. After approval by the respective cloud user, software updates can be rolled out in such a way that they can be distributed to all affected users without human interaction. PSS-03 ¶ 5] | Systems design, build, and implementation | Preventive | |
| Design the privacy architecture. CC ID 14671 | Systems design, build, and implementation | Preventive | |
| Implement software development version controls. CC ID 01098 [{acceptable use policy} Policies and instructions for acceptable use and safe handling of assets are documented, communicated and provided in accordance with SP-01 and address the following aspects of the asset lifecycle as applicable to the asset: Requirements for versions of software and images as well as application of patches; AM-02 ¶ 1 Bullet 5] | Systems design, build, and implementation | Preventive | |
| Develop new products based on secure coding techniques. CC ID 11733 [{secure development} The policies and instructions contain guidelines for the entire life cycle of the cloud service and are based on recognised standards and methods with regard to the following aspects: Security in software deployment (including continuous delivery); and DEV-01 ¶ 2 Bullet 2] | Systems design, build, and implementation | Preventive | |
| Protect applications from attacks on business logic through secure coding techniques in source code. CC ID 15472 | Systems design, build, and implementation | Preventive | |
| Refrain from hard-coding security parameters in source code. CC ID 14917 | Systems design, build, and implementation | Preventive | |
| Protect applications from attacks on data and data structures through secure coding techniques in source code. CC ID 15482 | Systems design, build, and implementation | Preventive | |
| Initiate the System Development Life Cycle implementation phase. CC ID 06268 | Systems design, build, and implementation | Preventive | |
Technical Security | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Subscribe to a threat intelligence service to receive notification of emerging threats. CC ID 12135 [{information security organization} If the cloud service is used by public sector organisations in Germany, the Cloud Service Provider leverages contacts with the National IT Situation Centre and the CERT Association of the BSI. OIS-05 ¶ 2 The Cloud Service Provider leverages relevant authorities and interest groups in order to stay informed about current threats and vulnerabilities. The information flows into the procedures for handling risks (cf. OIS-06) and vulnerabilities (cf. OPS-19). OIS-05 ¶ 1] | Leadership and high level objectives | Detective | |
| Establish, implement, and maintain log analysis tools. CC ID 17056 | Monitoring and measurement | Preventive | |
| Identify cybersecurity events in event logs and audit logs. CC ID 13206 [The logging data is automatically monitored for events that may violate the protection goals in accordance with the logging and monitoring requirements. This also includes the detection of relationships between events (event correlation). OPS-13 ¶ 1] | Monitoring and measurement | Detective | |
| Erase payment applications when suspicious activity is confirmed. CC ID 12193 | Monitoring and measurement | Corrective | |
| Conduct Red Team exercises, as necessary. CC ID 12131 | Monitoring and measurement | Detective | |
| Establish, implement, and maintain a port scan baseline for all in scope systems. CC ID 12134 | Monitoring and measurement | Detective | |
| Prevent adversaries from disabling or compromising security controls. CC ID 17057 | Monitoring and measurement | Preventive | |
| Perform vulnerability scans, as necessary. CC ID 11637 [System components in the area of responsibility of the Cloud Service Provider for the provision of the cloud service are automatically checked for known vulnerabilities at least once a month in accordance with the policies for handling vulnerabilities (cf. OPS-18), the severity is assessed in accordance with defined criteria and measures for timely remediation or mitigation are initiated within defined time windows. OPS-22 ¶ 1] | Monitoring and measurement | Detective | |
| Identify and document security vulnerabilities. CC ID 11857 [Guidelines and instructions with technical and organisational measures are documented, communicated and provided in accordance with SP-01 to ensure the timely identification and addressing of vulnerabilities in the system components used to provide the cloud service. These guidelines and instructions contain specifications regarding the following aspects: Regular identification of vulnerabilities; OPS-18 ¶ 1 Bullet 1 The type and scope of the information provided will be based on the needs of subject matter experts of the cloud customers who set information security requirements, implement them or verify the implementation (e.g. IT, Compliance, Internal Audit). The information in the guidelines and recommendations for the secure use of the cloud service address the following aspects, where applicable to the cloud service: Information sources on known vulnerabilities and update mechanisms; PSS-01 ¶ 2 Bullet 2 The Cloud Service Provider validates the functionality of the authorisation mechanisms before new functions are made available to cloud users and in the event of changes to the authorisation mechanisms of existing functions (cf. DEV-06). The severity of identified vulnerabilities is assessed according to defined criteria based on industry standard metrics (e.g. Common Vulnerability Scoring System) and measures for timely resolution or mitigation are initiated. Vulnerabilities that have not been fixed are listed in the online register of known vulnerabilities (cf. PSS-02) PSS-09 ¶ 2] | Monitoring and measurement | Detective | |
| Use dedicated user accounts when conducting vulnerability scans. CC ID 12098 | Monitoring and measurement | Preventive | |
| Assign vulnerability scanning to qualified personnel or external third parties. CC ID 11638 | Monitoring and measurement | Detective | |
| Correlate vulnerability scan reports from the various systems. CC ID 10636 | Monitoring and measurement | Detective | |
| Perform vulnerability scans prior to installing payment applications. CC ID 12192 | Monitoring and measurement | Detective | |
| Implement scanning tools, as necessary. CC ID 14282 | Monitoring and measurement | Detective | |
| Repeat vulnerability scanning after an approved change occurs. CC ID 12468 | Monitoring and measurement | Detective | |
| Perform external vulnerability scans, as necessary. CC ID 11624 | Monitoring and measurement | Detective | |
| Use automated mechanisms to compare new vulnerability scan reports with past vulnerability scan reports. CC ID 10635 | Monitoring and measurement | Detective | |
| Perform vulnerability assessments, as necessary. CC ID 11828 [System components in the area of responsibility of the Cloud Service Provider for the provision of the cloud service are automatically checked for known vulnerabilities at least once a month in accordance with the policies for handling vulnerabilities (cf. OPS-18), the severity is assessed in accordance with defined criteria and measures for timely remediation or mitigation are initiated within defined time windows. OPS-22 ¶ 1 The severity of the errors and vulnerabilities identified in the tests, which are relevant for the deployment decision, is determined according to defined criteria and actions for timely remediation or mitigation are initiated. DEV-06 ¶ 3 Identified vulnerabilities and deviations are subject to risk assessment in accordance with the risk management procedure (cf. OIS-06) and follow-up measures are defined and tracked (cf. OPS-18). COM-03 ¶ 2 The severity of identified vulnerabilities is assessed according to defined criteria and measures are taken to immediately eliminate or mitigate them. PSS-02 ¶ 3 The Cloud Service Provider validates the functionality of the authorisation mechanisms before new functions are made available to cloud users and in the event of changes to the authorisation mechanisms of existing functions (cf. DEV-06). The severity of identified vulnerabilities is assessed according to defined criteria based on industry standard metrics (e.g. Common Vulnerability Scoring System) and measures for timely resolution or mitigation are initiated. Vulnerabilities that have not been fixed are listed in the online register of known vulnerabilities (cf. PSS-02) PSS-09 ¶ 2] | Monitoring and measurement | Corrective | |
| Review applications for security vulnerabilities after the application is updated. CC ID 11938 | Monitoring and measurement | Detective | |
| Perform penetration tests and vulnerability scans in concert, as necessary. CC ID 12111 [The procedures for identifying such vulnerabilities also include annual code reviews or security penetration tests by qualified external third parties. PSS-02 ¶ 4] | Monitoring and measurement | Preventive | |
| Recommend mitigation techniques based on vulnerability scan reports. CC ID 11639 [{not been implemented} Guidelines and instructions with technical and organisational measures are documented, communicated and provided in accordance with SP-01 to ensure the timely identification and addressing of vulnerabilities in the system components used to provide the cloud service. These guidelines and instructions contain specifications regarding the following aspects: Handling of system components for which no measures are initiated for the timely remediation or mitigation of vulnerabilities. OPS-18 ¶ 1 Bullet 4 Identified vulnerabilities and deviations are subject to risk assessment in accordance with the risk management procedure (cf. OIS-06) and follow-up measures are defined and tracked (cf. OPS-18). COM-03 ¶ 2 {vulnerabilities} {assets} The online register is easily accessible to any cloud customer. The information contained therein forms a suitable basis for risk assessment and possible follow-up measures on the part of cloud users. PSS-03 ¶ 3] | Monitoring and measurement | Corrective | |
| Correct or mitigate vulnerabilities. CC ID 12497 [Ensure proper and regular operation, including appropriate measures for planning and monitoring capacity, protection against malware, logging and monitoring events, and dealing with vulnerabilities, malfunctions and failures. Section 5.6 Objective System components in the area of responsibility of the Cloud Service Provider for the provision of the cloud service are automatically checked for known vulnerabilities at least once a month in accordance with the policies for handling vulnerabilities (cf. OPS-18), the severity is assessed in accordance with defined criteria and measures for timely remediation or mitigation are initiated within defined time windows. OPS-22 ¶ 1 Access rights of internal and external employees of the Cloud Service Provider as well as of system components that play a role in automated authorisation processes of the Cloud Service Provider are reviewed at least once a year to ensure that they still correspond to the actual area of use. The review is carried out by authorised persons from the Cloud Service Provider's organisational units, who can assess the appropriateness of the assigned access rights based on their knowledge of the task areas of the employees or system components. Identified deviations will be dealt with promptly, but no later than 7 days after their detection, by appropriate modification or withdrawal of the access rights. IDM-05 ¶ 1 The severity of the errors and vulnerabilities identified in the tests, which are relevant for the deployment decision, is determined according to defined criteria and actions for timely remediation or mitigation are initiated. DEV-06 ¶ 3 The severity of identified vulnerabilities is assessed according to defined criteria and measures are taken to immediately eliminate or mitigate them. PSS-02 ¶ 3 The Cloud Service Provider validates the functionality of the authorisation mechanisms before new functions are made available to cloud users and in the event of changes to the authorisation mechanisms of existing functions (cf. DEV-06). The severity of identified vulnerabilities is assessed according to defined criteria based on industry standard metrics (e.g. Common Vulnerability Scoring System) and measures for timely resolution or mitigation are initiated. Vulnerabilities that have not been fixed are listed in the online register of known vulnerabilities (cf. PSS-02) PSS-09 ¶ 2] | Monitoring and measurement | Corrective | |
| Establish, implement, and maintain an exception management process for vulnerabilities that cannot be remediated. CC ID 13859 | Monitoring and measurement | Corrective | |
| Analyze the organization's information security environment. CC ID 13122 | Audits and risk management | Preventive | |
| Include security threats and vulnerabilities in the threat and risk classification scheme. CC ID 00699 [The Cloud Service Provider leverages relevant authorities and interest groups in order to stay informed about current threats and vulnerabilities. The information flows into the procedures for handling risks (cf. OIS-06) and vulnerabilities (cf. OPS-19). OIS-05 ¶ 1] | Audits and risk management | Preventive | |
| Identify external requirements for customer access. CC ID 12736 | Technical security | Detective | |
| Address and remediate external requirements for customer access. CC ID 12737 | Technical security | Corrective | |
| Implement safeguards to protect access credentials from unauthorized access. CC ID 16433 | Technical security | Preventive | |
| Review user accounts. CC ID 00525 [A role and rights concept based on the business and security requirements of the Cloud Service Provider as well as a policy for managing user accounts and access rights for internal and external employees of the Cloud Service Provider and system components that have a role in automated authorisation processes of the Cloud Service Provider are documented, communicated and made available according to SP-01: Regular review of assigned user accounts and access rights; IDM-01 ¶ 1 Bullet 6] | Technical security | Detective | |
| Control access rights to organizational assets. CC ID 00004 | Technical security | Preventive | |
| Establish access rights based on least privilege. CC ID 01411 [A role and rights concept based on the business and security requirements of the Cloud Service Provider as well as a policy for managing user accounts and access rights for internal and external employees of the Cloud Service Provider and system components that have a role in automated authorisation processes of the Cloud Service Provider are documented, communicated and made available according to SP-01: Granting and modifying user accounts and access rights based on the "least-privilege-principle" and the "need-to-know" principle; IDM-01 ¶ 1 Bullet 2 Privileged access rights are personalised, limited in time according to a risk assessment and assigned as necessary for the execution of tasks ("need-to-know principle"). Technical users are assigned to internal or external employees of the Cloud Service Provider. IDM-06 ¶ 2] | Technical security | Preventive | |
| Assign user permissions based on job responsibilities. CC ID 00538 [Privileged access rights are personalised, limited in time according to a risk assessment and assigned as necessary for the execution of tasks ("need-to-know principle"). Technical users are assigned to internal or external employees of the Cloud Service Provider. IDM-06 ¶ 2] | Technical security | Preventive | |
| Establish, implement, and maintain lockout procedures or lockout mechanisms to be triggered after a predetermined number of consecutive logon attempts. CC ID 01412 | Technical security | Preventive | |
| Disallow unlocking user accounts absent system administrator approval. CC ID 01413 [User accounts of internal and external employees of the Cloud Service Provider as well as for system components involved in automated authorisation processes of the Cloud Service Provider are automatically locked if they have not been used for a period of two months. Approval from authorised personnel or system components are required to unlock these accounts. IDM-03 ¶ 1] | Technical security | Preventive | |
| Establish session authenticity through Transport Layer Security. CC ID 01627 [{be inactive} To protect confidentiality, availability, integrity and authenticity during interactions with the cloud service, a suitable session management system is used that at least corresponds to the state- of-the-art and is protected against known attacks. Mechanisms are implemented that invalidate a session after it has been detected as inactive. The inactivity can be detected by time measurement. In this case, the time interval can be configured by the Cloud Service Provider or – if technically possible – by the cloud customer. PSS-06 ¶ 1 {be inactive} To protect confidentiality, availability, integrity and authenticity during interactions with the cloud service, a suitable session management system is used that at least corresponds to the state- of-the-art and is protected against known attacks. Mechanisms are implemented that invalidate a session after it has been detected as inactive. The inactivity can be detected by time measurement. In this case, the time interval can be configured by the Cloud Service Provider or – if technically possible – by the cloud customer. PSS-06 ¶ 1] | Technical security | Preventive | |
| Enable attribute-based access control for objects and users on information systems. CC ID 16351 | Technical security | Preventive | |
| Enforce access restrictions for change control. CC ID 01428 [{access rights management plan} System components and tools for source code management and software deployment that are used to make changes to system components of the cloud service in the production environment are subject to a role and rights concept according to IDM-01 and authorisation mechanisms. They must be configured in such a way that all changes are logged and can therefore be traced back to the individuals or system components executing them. DEV-07 ¶ 1] | Technical security | Preventive | |
| Review all user privileges, as necessary. CC ID 06784 [A role and rights concept based on the business and security requirements of the Cloud Service Provider as well as a policy for managing user accounts and access rights for internal and external employees of the Cloud Service Provider and system components that have a role in automated authorisation processes of the Cloud Service Provider are documented, communicated and made available according to SP-01: Regular review of assigned user accounts and access rights; IDM-01 ¶ 1 Bullet 6 Privileged access rights are reviewed at least every six months. IDM-05 ¶ 2 Access rights of internal and external employees of the Cloud Service Provider as well as of system components that play a role in automated authorisation processes of the Cloud Service Provider are reviewed at least once a year to ensure that they still correspond to the actual area of use. The review is carried out by authorised persons from the Cloud Service Provider's organisational units, who can assess the appropriateness of the assigned access rights based on their knowledge of the task areas of the employees or system components. Identified deviations will be dealt with promptly, but no later than 7 days after their detection, by appropriate modification or withdrawal of the access rights. IDM-05 ¶ 1] | Technical security | Preventive | |
| Establish, implement, and maintain User Access Management procedures. CC ID 00514 [{least privilege} The requirements for the access control system are documented, communicated and provided in a policy or concept in accordance with SP-01 and include the following aspects: Specified procedure for the granting and revoking of access authorisations (cf. IDM-02) based on the principle of least authorisation ("least-privilege-principle") and as necessary for the performance of tasks ("need-to-know- principle"); PS-04 ¶ 3 Bullet 1] | Technical security | Preventive | |
| Control the addition and modification of user identifiers, user credentials, or other authenticators. CC ID 00515 [Access rights are promptly revoked if the job responsibilities of the Cloud Service Provider's internal or external staff or the tasks of system components involved in the Cloud Service Provider's automated authorisation processes change. Privileged access rights are adjusted or revoked within 48 hours after the change taking effect. All other access rights are adjusted or revoked within 14 days. After revocation, the procedure for granting user accounts and access rights (cf. IDM-02) must be repeated. IDM-04 ¶ 1 Privileged access rights for internal and external employees as well as technical users of the Cloud Service Provider are assigned and changed in accordance to the policy for managing user accounts and access rights (cf. IDM-01) or a separate specific policy. IDM-06 ¶ 1 {security-related information} The information is detailed enough to allow cloud users to check the following aspects, insofar as they are applicable to the cloud service: Changes to security-relevant configuration parameters, error handling and logging mechanisms, user authentication, action authorisation, cryptography, and communication security. PSS-04 ¶ 2 Bullet 3] | Technical security | Preventive | |
| Refrain from storing logon credentials for third party applications. CC ID 13690 | Technical security | Preventive | |
| Remove inactive user accounts, as necessary. CC ID 00517 [{automated} The requirements for the access control system are documented, communicated and provided in a policy or concept in accordance with SP-01 and include the following aspects: Automatic revocation of access authorisations if they have not been used for a period of 2 month; PS-04 ¶ 3 Bullet 2 {automated} The requirements for the access control system are documented, communicated and provided in a policy or concept in accordance with SP-01 and include the following aspects: Automatic withdrawal of access authorisations if they have not been used for a period of 6 months; PS-04 ¶ 3 Bullet 3 A role and rights concept based on the business and security requirements of the Cloud Service Provider as well as a policy for managing user accounts and access rights for internal and external employees of the Cloud Service Provider and system components that have a role in automated authorisation processes of the Cloud Service Provider are documented, communicated and made available according to SP-01: Blocking and removing access accounts in the event of inactivity; IDM-01 ¶ 1 Bullet 7 Locked user accounts are automatically revoked after six months. After revocation, the procedure for granting user accounts and access rights (cf. IDM-02) must be repeated. IDM-03 ¶ 2] | Technical security | Corrective | |
| Enforce the password policy. CC ID 16347 | Technical security | Preventive | |
| Establish, implement, and maintain user accounts in accordance with the organizational Governance, Risk, and Compliance framework. CC ID 00526 [Locked user accounts are automatically revoked after six months. After revocation, the procedure for granting user accounts and access rights (cf. IDM-02) must be repeated. IDM-03 ¶ 2] | Technical security | Preventive | |
| Implement out-of-band authentication, as necessary. CC ID 10606 [{authentication factor} The cloud service offers out-of-band authentication (OOB), in which the factors are transmitted via different channels (e.g. Internet and mobile network). PSS-05 ¶ 4] | Technical security | Corrective | |
| Implement alternative authentication mechanisms when individuals cannot utilize primary authentication mechanisms. CC ID 17002 | Technical security | Preventive | |
| Include digital identification procedures in the access control program. CC ID 11841 | Technical security | Preventive | |
| Require proper authentication for user identifiers. CC ID 11785 | Technical security | Preventive | |
| Establish, implement, and maintain a fallback mechanism for when the biometric system fails. CC ID 17006 | Technical security | Preventive | |
| Prevent the disclosure of the closeness of the biometric data during the biometric verification. CC ID 17003 | Technical security | Preventive | |
| Identify and control all network access controls. CC ID 00529 [{alternate} The cloud service can be accessed by other cloud services or IT systems of cloud customers through documented inbound and outbound interfaces. Further, the interfaces are clearly documented for subject matter experts on how they can be used to retrieve the data. PI-01 ¶ 1] | Technical security | Preventive | |
| Place Intrusion Detection Systems and Intrusion Response Systems in network locations where they will be the most effective. CC ID 04589 [Based on the results of a risk analysis carried out according to OIS-06, the Cloud Service Provider has implemented technical safeguards which are suitable to promptly detect and respond to network-based attacks on the basis of irregular incoming or outgoing traffic patterns and/ or Distributed Denial of Service (DDoS) attacks. Data from corresponding technical protection measures implemented is fed into a comprehensive SIEM (Security Information and Event Management) system, so that (counter) measures regarding correlating events can be initiated. The safeguards are documented, communicated and provided in accordance with SP-01. COS-01 ¶ 1] | Technical security | Detective | |
| Protect system or device management and control planes from unwanted user plane traffic. CC ID 17063 | Technical security | Preventive | |
| Ensure the data plane, control plane, and management plane have been segregated according to organizational standards. CC ID 16385 | Technical security | Preventive | |
| Prevent the insertion of unauthorized network traffic into secure networks. CC ID 17050 | Technical security | Preventive | |
| Prohibit systems from connecting directly to internal networks outside the demilitarized zone (DMZ). CC ID 16360 | Technical security | Preventive | |
| Implement segregation of duties. CC ID 11843 [A role and rights concept based on the business and security requirements of the Cloud Service Provider as well as a policy for managing user accounts and access rights for internal and external employees of the Cloud Service Provider and system components that have a role in automated authorisation processes of the Cloud Service Provider are documented, communicated and made available according to SP-01: Segregation of duties between operational and monitoring functions ("Segregation of Duties"); IDM-01 ¶ 1 Bullet 3 The rights profiles are suitable for enabling cloud users to manage access authorisations and permissions in accordance with the principle of least-privilege and how it is necessary for the performance of tasks ("need-to-know principle") and to implement the principle of functional separation between operational and controlling functions ("separation of duties"). PSS-08 ¶ 2] | Technical security | Preventive | |
| Segregate systems in accordance with organizational standards. CC ID 12546 | Technical security | Preventive | |
| Implement resource-isolation mechanisms in organizational networks. CC ID 16438 | Technical security | Preventive | |
| Prevent logical access to dedicated networks from outside the secure areas. CC ID 12310 | Technical security | Preventive | |
| Restrict outbound network traffic out of the Demilitarized Zone. CC ID 16881 | Technical security | Preventive | |
| Employ firewalls to secure network connections between networks of different security categorizations. CC ID 16373 | Technical security | Preventive | |
| Employ centralized management systems to configure and control networks, as necessary. CC ID 12540 [{dedicated network} There are separate networks for the administrative management of the infrastructure and for the operation of management consoles. These networks are logically or physically separated from the cloud customer's network and protected from unauthorised access by multi-factor authentication (cf. IDM-09). Networks used by the Cloud Service Provider to migrate or create virtual machines are also physically or logically separated from other networks. COS-05 ¶ 1] | Technical security | Preventive | |
| Establish, implement, and maintain packet filtering requirements. CC ID 16362 | Technical security | Preventive | |
| Filter packets based on IPv6 header fields. CC ID 17048 | Technical security | Preventive | |
| Configure firewall filtering to only permit established connections into the network. CC ID 12482 [{trusted network} A distinction is made between trusted and untrusted networks. Based on a risk assessment, these are separated into different security zones for internal and external network areas (and DMZ, if applicable). Physical and virtualised network environments are designed and configured to restrict and monitor the established connection to trusted or untrusted networks according to the defined security requirements. COS-03 ¶ 1] | Technical security | Preventive | |
| Filter traffic at firewalls based on application layer attributes. CC ID 17054 | Technical security | Preventive | |
| Separate user functionality from system management functionality. CC ID 11858 [{dedicated network} There are separate networks for the administrative management of the infrastructure and for the operation of management consoles. These networks are logically or physically separated from the cloud customer's network and protected from unauthorised access by multi-factor authentication (cf. IDM-09). Networks used by the Cloud Service Provider to migrate or create virtual machines are also physically or logically separated from other networks. COS-05 ¶ 1] | Technical security | Preventive | |
| Refrain from allowing individuals to self-enroll into multifactor authentication from untrusted devices. CC ID 17173 | Technical security | Preventive | |
| Implement phishing-resistant multifactor authentication techniques. CC ID 16541 | Technical security | Preventive | |
| Manage the use of encryption controls and cryptographic controls. CC ID 00570 [{be appropriate} {be effective} Ensure appropriate and effective use of cryptography to protect the confidentiality, authenticity or integrity of information. Section 5.8 Objective {security-related information} The information is detailed enough to allow cloud users to check the following aspects, insofar as they are applicable to the cloud service: Changes to security-relevant configuration parameters, error handling and logging mechanisms, user authentication, action authorisation, cryptography, and communication security. PSS-04 ¶ 2 Bullet 3] | Technical security | Preventive | |
| Employ cryptographic controls that comply with applicable requirements. CC ID 12491 [Policies and instructions with technical and organisational safeguards for encryption procedures and key management are documented, communicated and provided according to SP-01, in which the following aspects are described: Consideration of relevant legal and regulatory obligations and requirements. CRY-01 ¶ 1 Bullet 4] | Technical security | Preventive | |
| Generate unique cryptographic keys for each user. CC ID 12169 [{be different} Procedures and technical safeguards for secure key management in the area of responsibility of the Cloud Service Provider include at least the following aspects: Generation of keys for different cryptographic systems and applications; CRY-04 ¶ 1 Bullet 1] | Technical security | Preventive | |
| Manage outdated cryptographic keys, compromised cryptographic keys, or revoked cryptographic keys. CC ID 06852 [Procedures and technical safeguards for secure key management in the area of responsibility of the Cloud Service Provider include at least the following aspects: Changing or updating cryptographic keys including policies defining under which conditions and in which manner the changes and/or updates are to be realised; CRY-04 ¶ 1 Bullet 5 Procedures and technical safeguards for secure key management in the area of responsibility of the Cloud Service Provider include at least the following aspects: Handling of compromised keys; CRY-04 ¶ 1 Bullet 6 Procedures and technical safeguards for secure key management in the area of responsibility of the Cloud Service Provider include at least the following aspects: Withdrawal and deletion of keys; and CRY-04 ¶ 1 Bullet 7] | Technical security | Preventive | |
| Establish a Root Certification Authority to support the Public Key Infrastructure. CC ID 07084 | Technical security | Preventive | |
| Use strong data encryption to transmit in scope data or in scope information, as necessary. CC ID 00564 [Between logging servers and the assets to be logged, authentication takes place to protect the integrity and authenticity of the information transmitted and stored. The transfer takes place using state-of-the-art encryption or a dedicated administration network (out-of-band management). OPS-14 ¶ 2 The Cloud Service Provider has established procedures and technical measures for strong encryption and authentication for the transmission of all data. CRY-02 ¶ 2 The Cloud Service Provider has established procedures and technical measures for strong encryption and authentication for the transmission of data of cloud customers over public networks. CRY-02 ¶ 1] | Technical security | Preventive | |
| Configure the encryption strength to be appropriate for the encryption methodology of the cryptographic controls. CC ID 12492 [Policies and instructions with technical and organisational safeguards for encryption procedures and key management are documented, communicated and provided according to SP-01, in which the following aspects are described: Usage of strong encryption procedures and secure network protocols that correspond to the state-of-the-art; CRY-01 ¶ 1 Bullet 1 {be risk-based} Policies and instructions with technical and organisational safeguards for encryption procedures and key management are documented, communicated and provided according to SP-01, in which the following aspects are described: Risk-based provisions for the use of encryption which are aligned with the information classification schemes (cf. AM-06) and consider the communication channel, type, strength and quality of the encryption; CRY-01 ¶ 1 Bullet 2] | Technical security | Preventive | |
| Treat data messages that do not receive an acknowledgment as never been sent. CC ID 14416 | Technical security | Preventive | |
| Install and maintain container security solutions. CC ID 16178 | Technical security | Preventive | |
| Protect systems and devices from fragmentation based attacks and anomalies. CC ID 17058 | Technical security | Preventive | |
| Remove data remnants in terminated Virtual Machines. CC ID 12168 | Technical security | Corrective | |
| Implement audio protection controls on telephone systems in controlled areas. CC ID 16455 | Physical and environmental protection | Preventive | |
| Encrypt digital media containing sensitive information during transport outside controlled areas. CC ID 14258 | Physical and environmental protection | Preventive | |
| Remote lock any distributed assets reported lost or stolen. CC ID 14008 | Physical and environmental protection | Corrective | |
| Terminate access rights when notified of a personnel status change or an individual is terminated. CC ID 11826 [Access rights are promptly revoked if the job responsibilities of the Cloud Service Provider's internal or external staff or the tasks of system components involved in the Cloud Service Provider's automated authorisation processes change. Privileged access rights are adjusted or revoked within 48 hours after the change taking effect. All other access rights are adjusted or revoked within 14 days. After revocation, the procedure for granting user accounts and access rights (cf. IDM-02) must be repeated. IDM-04 ¶ 1] | Human Resources management | Corrective | |
| Limit any effects of a Denial of Service attack. CC ID 06754 [Based on the results of a risk analysis carried out according to OIS-06, the Cloud Service Provider has implemented technical safeguards which are suitable to promptly detect and respond to network-based attacks on the basis of irregular incoming or outgoing traffic patterns and/ or Distributed Denial of Service (DDoS) attacks. Data from corresponding technical protection measures implemented is fed into a comprehensive SIEM (Security Information and Event Management) system, so that (counter) measures regarding correlating events can be initiated. The safeguards are documented, communicated and provided in accordance with SP-01. COS-01 ¶ 1] | Operational management | Preventive | |
| Refrain from implementing network elements in a public cloud. CC ID 16382 | Operational management | Preventive | |
| Establish, implement, and maintain cloud management procedures. CC ID 13149 [{is able} {specify} {locations} {data processing} {storage} This must be ensured by the cloud architecture. PSS-12 ¶ 2] | Operational management | Preventive | |
| Use strong data encryption when storing information within a cloud service. CC ID 16411 [The Cloud Service Provider has established procedures and technical safeguards to encrypt cloud customers' data during storage. The private keys used for encryption are known only to the cloud customer in accordance with applicable legal and regulatory obligations and requirements. Exceptions follow a specified procedure. The procedures for the use of private keys, including any exceptions, must be contractually agreed with the cloud customer. CRY-03 ¶ 1] | Operational management | Preventive | |
| Use automated tools to collect Information Technology inventory information, as necessary. CC ID 07054 [{automate} {responsible personnel} The inventory is performed automatically and/or by the people or teams responsible for the assets to ensure complete, accurate, valid and consistent inventory throughout the asset lifecycle. AM-01 ¶ 2] | Operational management | Preventive | |
| Link the authentication system to the asset inventory. CC ID 13718 | Operational management | Preventive | |
| Prevent users from disabling required software. CC ID 16417 | Operational management | Preventive | |
| Categorize the incident following an incident response. CC ID 13208 [Identified violations and deviations are subjected to analysis, evaluation and treatment in accordance with the risk management procedure (cf. OIS-07). SSO-04 ¶ 4 Subject matter experts of the Cloud Service Provider, together with external security providers where appropriate, classify, prioritise and perform root-cause analyses for events that could constitute a security incident. SIM-02 ¶ 1] | Operational management | Preventive | |
| Wipe data and memory after an incident has been detected. CC ID 16850 | Operational management | Corrective | |
| Integrate configuration management procedures into the change control program. CC ID 13646 [Access to system components for logging and monitoring in the Cloud Service Provider's area of responsibility is restricted to authorised users. Changes to the configuration are made in accordance with the applicable policies (cf. DEV-03). OPS-16 ¶ 1 Policies and instructions with technical and organisational safeguards for change management of system components of the cloud service within the scope of software deployment are documented, communicated and provided according to SP-01 with regard to the following aspects: DEV-03 ¶ 1 {security-related information} The information is detailed enough to allow cloud users to check the following aspects, insofar as they are applicable to the cloud service: Changes to security-relevant configuration parameters, error handling and logging mechanisms, user authentication, action authorisation, cryptography, and communication security. PSS-04 ¶ 2 Bullet 3] | Operational management | Preventive | |
| Establish, implement, and maintain authenticators. CC ID 15305 | System hardening through configuration management | Preventive | |
| Employ multifactor authentication for accounts with administrative privilege. CC ID 12496 [A role and rights concept based on the business and security requirements of the Cloud Service Provider as well as a policy for managing user accounts and access rights for internal and external employees of the Cloud Service Provider and system components that have a role in automated authorisation processes of the Cloud Service Provider are documented, communicated and made available according to SP-01: Two-factor or multi-factor authentication for users with privileged access; and IDM-01 ¶ 1 Bullet 9 For privileged users, IT components or applications, these authentication mechanisms are enforced. PSS-05 ¶ 3] | System hardening through configuration management | Preventive | |
| Store master images on securely configured servers. CC ID 12089 [{be immutable} If non-modifiable ("immutable") images are used, compliance with the hardening specifications as defined in the hardening requirements is checked upon creation of the images. Configuration and log files regarding the continuous availability of the images are retained. OPS-23 ¶ 2] | System hardening through configuration management | Preventive | |
| Validate transactions using identifiers and credentials. CC ID 13203 | Records management | Preventive | |
| Establish, implement, and maintain a CAPTCHA design specification. CC ID 17092 | Systems design, build, and implementation | Preventive | |
| Require successful authentication before granting access to system functionality via network interfaces. CC ID 14926 | Systems design, build, and implementation | Preventive | |
| Protect source code in accordance with organizational requirements. CC ID 16855 | Systems design, build, and implementation | Preventive | |
| Protect applications from insufficient anti-automation through secure coding techniques in source code. CC ID 16854 | Systems design, build, and implementation | Preventive | |
| Protect applications from format string attacks through secure coding techniques in source code. CC ID 17091 | Systems design, build, and implementation | Preventive | |
| Protect applications from XML external entities through secure coding techniques in source code. CC ID 14806 | Systems design, build, and implementation | Preventive | |
| Protect applications from insecure deserialization through secure coding techniques in source code. CC ID 14805 | Systems design, build, and implementation | Preventive | |
| Refrain from hard-coding authenticators in source code. CC ID 11829 | Systems design, build, and implementation | Preventive | |
| Refrain from hard-coding cryptographic keys in source code. CC ID 12307 | Systems design, build, and implementation | Preventive | |
| Install software that originates from approved third parties. CC ID 12184 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Implement technical controls that limit processing restricted data for specific purposes. CC ID 12646 [Policies and instructions for the secure handling of metadata (usage data) are documented, communicated and provided according to SP-01 with regard to the following aspects: Metadata is collected and used solely for billing, incident management and security incident management purposes; OPS-11 ¶ 1 Bullet 1 {refrain from using} Policies and instructions for the secure handling of metadata (usage data) are documented, communicated and provided according to SP-01 with regard to the following aspects: No commercial use; OPS-11 ¶ 1 Bullet 3] | Privacy protection for information and data | Preventive | |
| Protect electronic messaging information. CC ID 12022 | Privacy protection for information and data | Preventive | |
| Render unrecoverable sensitive authentication data after authorization is approved. CC ID 11952 | Privacy protection for information and data | Preventive | |
| Encrypt, truncate, or tokenize data fields, as necessary. CC ID 06850 | Privacy protection for information and data | Preventive | |
| Implement security measures to protect personal data. CC ID 13606 | Privacy protection for information and data | Preventive | |
Testing | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Enable security controls which were disabled to conduct testing. CC ID 17031 | Monitoring and measurement | Preventive | |
| Disable dedicated accounts after testing is complete. CC ID 17033 | Monitoring and measurement | Preventive | |
| Protect systems and data during testing in the production environment. CC ID 17198 | Monitoring and measurement | Preventive | |
| Define the criteria to conduct testing in the production environment. CC ID 17197 | Monitoring and measurement | Preventive | |
| Suspend testing in a production environment, as necessary. CC ID 17231 | Monitoring and measurement | Preventive | |
| Test in scope systems for segregation of duties, as necessary. CC ID 13906 [Policies and instructions with technical and organisational safeguards for change management of system components of the cloud service within the scope of software deployment are documented, communicated and provided according to SP-01 with regard to the following aspects: Requirements for segregation of duties during development, testing and release of changes; DEV-03 ¶ 1 Bullet 3] | Monitoring and measurement | Detective | |
| Include test requirements for the use of production data in the testing program. CC ID 17201 | Monitoring and measurement | Preventive | |
| Include test requirements for the use of human subjects in the testing program. CC ID 16222 | Monitoring and measurement | Preventive | |
| Test the in scope system in accordance with its intended purpose. CC ID 14961 | Monitoring and measurement | Preventive | |
| Perform network testing in accordance with organizational standards. CC ID 16448 | Monitoring and measurement | Preventive | |
| Test user accounts in accordance with organizational standards. CC ID 16421 | Monitoring and measurement | Preventive | |
| Opt out of third party conformity assessments when the system meets harmonized standards. CC ID 15096 | Monitoring and measurement | Preventive | |
| Perform conformity assessments, as necessary. CC ID 15095 | Monitoring and measurement | Detective | |
| Use dedicated user accounts when conducting penetration testing. CC ID 13728 | Monitoring and measurement | Detective | |
| Remove dedicated user accounts after penetration testing is concluded. CC ID 13729 | Monitoring and measurement | Corrective | |
| Perform penetration tests, as necessary. CC ID 00655 [The Cloud Service Provider has penetration tests carried out by qualified internal personnel or external service providers at least once a year. The penetration tests are carried out according to a documented test methodology and include the system components relevant to the provision of the cloud service in the area of responsibility of the Cloud Service Provider, which have been identified as such in a risk analysis. OPS-19 ¶ 1 The Cloud Service Provider has penetration tests carried out by qualified internal personnel or external service providers at least once a year. The penetration tests are carried out according to a documented test methodology and include the system components relevant to the provision of the cloud service in the area of responsibility of the Cloud Service Provider, which have been identified as such in a risk analysis. OPS-19 ¶ 1 The tests are carried out every six months. They must always be performed by independent external auditors. Internal personnel for penetration tests may support the external service providers. OPS-19 ¶ 4] | Monitoring and measurement | Detective | |
| Include coverage of all in scope systems during penetration testing. CC ID 11957 [The Cloud Service Provider has penetration tests carried out by qualified internal personnel or external service providers at least once a year. The penetration tests are carried out according to a documented test methodology and include the system components relevant to the provision of the cloud service in the area of responsibility of the Cloud Service Provider, which have been identified as such in a risk analysis. OPS-19 ¶ 1] | Monitoring and measurement | Detective | |
| Conduct scanning activities in a test environment. CC ID 17036 | Monitoring and measurement | Preventive | |
| Repeat vulnerability scanning, as necessary. CC ID 11646 | Monitoring and measurement | Detective | |
| Perform internal vulnerability scans, as necessary. CC ID 00656 | Monitoring and measurement | Detective | |
| Meet the requirements for a passing score during an external vulnerability scan or rescan. CC ID 12039 | Monitoring and measurement | Preventive | |
| Test the system for unvalidated input. CC ID 01318 | Monitoring and measurement | Detective | |
| Test the system for proper error handling. CC ID 01324 | Monitoring and measurement | Detective | |
| Test the system for insecure data storage. CC ID 01325 | Monitoring and measurement | Detective | |
| Test the system for access control enforcement in all Uniform Resource Locators. CC ID 06297 | Monitoring and measurement | Detective | |
| Document and maintain test results. CC ID 17028 [The measures for setting up, implementing, maintaining and continuously improving the ISMS are documented. The documentation includes: Results of the last management review (Sec- tion 9.3). OIS-01 ¶ 2 Bullet 3 {assessment} {incident management} {vulnerability management} Results are evaluated at least quarterly by accountable departments at the Cloud Service Provider to initiate continuous improvement actions and to verify their effectiveness. OPS-20 ¶ 2] | Monitoring and measurement | Preventive | |
| Conduct onsite inspections, as necessary. CC ID 16199 | Audits and risk management | Preventive | |
| Determine if the audit assertion's in scope controls are reasonable. CC ID 06980 [{in scope system description} In the written statement, management of the Cloud Service Provider confirms that: the controls stated in the description were suitably designed and implemented to meet the applicable C5 criteria as at a specified date (type 1 report) or throughout a specified period (type 2 report); and, Section 3.4.4.2 ¶ 1 Bullet 2] | Audits and risk management | Detective | |
| Document test plans for auditing in scope controls. CC ID 06985 | Audits and risk management | Detective | |
| Determine the effectiveness of in scope controls. CC ID 06984 | Audits and risk management | Detective | |
| Assess the quality of the audit program in regards to the staff and their qualifications. CC ID 01150 [{independent audit report} The report on an attestation engagement includes the following elements: Independence and quality control of the auditor/auditing firm (including information on compliance with qualification requirements (cf. Section 3.4.9) Section 3.4.8 ¶ 2 1 (c) According to ISAE 3000 (Revised), the auditor must determine before accepting an engagement that the professional duties (for auditors in Germany § 43 WPO, German Law regulating the Profession of Wirtschaftsprüfer: Wirtschaftsprüferordnung), including the duty of independence, are complied with. Based on the auditor's knowledge of the subject matter, the auditor shall assess whether the members of the audit team entrusted with the engagement have the necessary competency and understanding of the industry as well as capabilities to perform the audit and whether sufficient experience with the relevant formal requirements is available or can be obtained. Section 3.4.9 ¶ 1] | Audits and risk management | Detective | |
| Establish, implement, and maintain the audit plan. CC ID 01156 [Policies and instructions for planning and conducting audits are documented, communicated and made available in accordance with SP-01 and address the following aspects: COM-02 ¶ 1] | Audits and risk management | Detective | |
| Perform risk assessments for all target environments, as necessary. CC ID 06452 [The Cloud Service Provider executes the process for handling risks as needed or at least once a year. The following aspects are taken into account when identifying risks, insofar as they are applicable to the cloud service provided and are within the area of responsibility of the Cloud Service Provider: Attacks via access points, including interfaces accessible from public networks; OIS-07 ¶ 1 Bullet 3 The risk assessment covers the following areas, insofar as these are applicable to the provision of the Cloud Service and are in the area of responsibility of the Cloud Service Provider: Operation of the system components. OIS-04 ¶ 2 Bullet 3 The risk assessment includes the identification, analysis, evaluation, handling and documentation of risks with regard to the following aspects: SSO-02 ¶ 2] | Audits and risk management | Preventive | |
| Determine the effectiveness of risk control measures. CC ID 06601 [Identified vulnerabilities and deviations are subject to risk assessment in accordance with the risk management procedure (cf. OIS-06) and follow-up measures are defined and tracked (cf. OPS-18). COS-03 ¶ 3] | Audits and risk management | Detective | |
| Employ unique identifiers. CC ID 01273 [A role and rights concept based on the business and security requirements of the Cloud Service Provider as well as a policy for managing user accounts and access rights for internal and external employees of the Cloud Service Provider and system components that have a role in automated authorisation processes of the Cloud Service Provider are documented, communicated and made available according to SP-01: Assignment of unique usernames; IDM-01 ¶ 1 Bullet 1] | Technical security | Detective | |
| Test the information exchange procedures. CC ID 17115 | Technical security | Preventive | |
| Involve auditors in reviewing and testing the business continuity program. CC ID 13211 | Operational and Systems Continuity | Detective | |
| Include testing peak transaction volumes from alternate facilities in the business continuity testing strategy. CC ID 13265 | Operational and Systems Continuity | Detective | |
| Test the recovery plan, as necessary. CC ID 13290 [Restore procedures are tested regularly, at least annually. The tests allow an assessment to be made as to whether the contractual agreements as well as the specifications for the maximum tolerable downtime (Recovery Time Objective, RTO) and the maximum permissible data loss (Recovery Point Objective, RPO) are adhered to (cf. BCM-02). OPS-08 ¶ 1] | Operational and Systems Continuity | Detective | |
| Test the backup information, as necessary. CC ID 13303 | Operational and Systems Continuity | Detective | |
| Establish, implement, and maintain a business continuity plan testing program. CC ID 14829 | Operational and Systems Continuity | Preventive | |
| Test the continuity plan, as necessary. CC ID 00755 [{separate} The cloud service is provided from more than two locations that provide each other with redundancy. The locations are sufficiently far apart to achieve georedundancy. If two locations fail at the same time, at least one third location is still available to prevent a total service failure. The georedundancy is designed in a way that ensures that the availability requirements specified in the service level agreement are met. The functionality of the redundancy is checked at least annually by suitable tests and exercises (cf. BCM-04 – Verification, updating and testing of business continuity). PS-02 ¶ 2 Plan, implement, maintain and test procedures and measures for business continuity and emergency management. Section 5.14 Objective The business impact analysis, business continuity plans and contingency plans are reviewed, updated and tested on a regular basis (at least annually) or after significant organisational or environmental changes. Tests involve affected customers (tenants) and relevant third parties. The tests are documented and results are taken into account for future operational continuity measures. BCM-04 ¶ 1] | Operational and Systems Continuity | Detective | |
| Include the coordination and interfaces among third parties in the coverage of the scope of testing the continuity plan. CC ID 12769 [The business impact analysis, business continuity plans and contingency plans are reviewed, updated and tested on a regular basis (at least annually) or after significant organisational or environmental changes. Tests involve affected customers (tenants) and relevant third parties. The tests are documented and results are taken into account for future operational continuity measures. BCM-04 ¶ 1] | Operational and Systems Continuity | Preventive | |
| Involve senior management, as necessary, when testing the continuity plan. CC ID 13793 | Operational and Systems Continuity | Detective | |
| Test the continuity plan at the alternate facility. CC ID 01174 | Operational and Systems Continuity | Detective | |
| Address identified deficiencies in the continuity plan test results. CC ID 17209 [The business impact analysis, business continuity plans and contingency plans are reviewed, updated and tested on a regular basis (at least annually) or after significant organisational or environmental changes. Tests involve affected customers (tenants) and relevant third parties. The tests are documented and results are taken into account for future operational continuity measures. BCM-04 ¶ 1] | Operational and Systems Continuity | Preventive | |
| Conduct full recovery and restoration of service testing for high impact systems at the alternate facility. CC ID 01404 [The cloud service is provided from two locations that are redundant to each other. The locations meet the security requirements of the Cloud Service Provider (cf. PS-01 Security Concept) and are located in an adequate distance to each other to achieve operational redundancy. Operational redundancy is designed in a way that ensures that the availability requirements specified in the service level agreement are met. The functionality of the redundancy is checked at least annually by suitable tests and exercises (cf. BCM-04 – Verification, updating and testing of business continuity). PS-02 ¶ 1] | Operational and Systems Continuity | Detective | |
| Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782 [The competency and integrity of all internal and external employees of the Cloud Service Provider with access to cloud customer data or system components under the Cloud Service Provider's responsibility who are responsible to provide the cloud service in the production environment shall be verified prior to commencement of employment in accordance with local legislation and regulation by the Cloud Service Provider. HR-01 ¶ 1] | Human Resources management | Detective | |
| Implement segregation of duties in roles and responsibilities. CC ID 00774 [Conflicting tasks and responsibilities are separated based on an OIS-06 risk assessment to reduce the risk of unauthorised or unintended changes or misuse of cloud customer data processed, stored or transmitted in the cloud service. OIS-04 ¶ 1 A role and rights concept based on the business and security requirements of the Cloud Service Provider as well as a policy for managing user accounts and access rights for internal and external employees of the Cloud Service Provider and system components that have a role in automated authorisation processes of the Cloud Service Provider are documented, communicated and made available according to SP-01: Segregation of duties between managing, approving and assigning user accounts and access rights; IDM-01 ¶ 1 Bullet 4] | Human Resources management | Detective | |
| Assess all incidents to determine what information was accessed. CC ID 01226 [Identified violations and deviations are subjected to analysis, evaluation and treatment in accordance with the risk management procedure (cf. OIS-07). SSO-04 ¶ 4 Ensure a consistent and comprehensive approach to the capture, assessment, communication and escalation of security incidents. Section 5.13 Objective] | Operational management | Corrective | |
| Test the incident response procedures. CC ID 01216 [The Cloud Service Provider simulates the identification, analysis and defence of security incidents and attacks at least once a year through appropriate tests and exercises (e.g. Red Team training). SIM-02 ¶ 2] | Operational management | Detective | |
| Test proposed changes prior to their approval. CC ID 00548 [Changes to the cloud service are subject to appropriate testing during software development and deployment. DEV-06 ¶ 1 {change} The type and scope of the tests correspond to the risk assessment. The tests are carried out by appropriately qualified personnel of the Cloud Service Provider or by automated test procedures that comply with the state-of-the-art. Cloud customers are involved into the tests in accordance with the contractual requirements. DEV-06 ¶ 2] | Operational management | Detective | |
| Perform risk assessments prior to approving change requests. CC ID 00888 [The risk assessment covers the following areas, insofar as these are applicable to the provision of the Cloud Service and are in the area of responsibility of the Cloud Service Provider: Development, testing and release of changes (cf. DEV-01); and OIS-04 ¶ 2 Bullet 2 In accordance with the applicable policies (cf. DEV-03), changes are subjected to a risk assessment with regard to potential effects on the system components concerned and are categorised and prioritised accordingly. DEV-05 ¶ 1 Policies and instructions with technical and organisational safeguards for change management of system components of the cloud service within the scope of software deployment are documented, communicated and provided according to SP-01 with regard to the following aspects: Criteria for risk assessment, categorisation and prioritisation of changes and related requirements for the type and scope of testing to be performed, and necessary approvals for the development/implementation of the change and releases for deployment in the production environment by authorised personnel or system components; DEV-03 ¶ 1 Bullet 1] | Operational management | Preventive | |
| Configure security and protection software to check for up-to-date signature files. CC ID 00576 [The Cloud Service Provider creates regular reports on the checks performed, which are reviewed and analysed by authorised bodies or committees. Policies and instructions describe the technical measures taken to securely configure and monitor the management console (both the customer's self-service and the service provider's cloud administration) to protect it from malware. Updates are applied at the highest frequency that the vendor(s) contractually offer(s). OPS-04 ¶ 2] | System hardening through configuration management | Detective | |
| Implement security controls in development endpoints. CC ID 16389 | Systems design, build, and implementation | Preventive | |
| Restrict production data from being used in the test environment. CC ID 01103 [Production environments are physically or logically separated from test or development environments to prevent unauthorised access to cloud customer data, the spread of malware, or changes to system components. Data contained in the production environments is not used in test or development environments in order not to compromise their confidentiality. DEV-10 ¶ 1] | Systems design, build, and implementation | Detective | |
| Review and test custom code to identify potential coding vulnerabilities. CC ID 01316 [The procedures for identifying such vulnerabilities are part of the software development process and, depending on a risk assessment, include the following activities: Code reviews by the Cloud Service Provider's subject matter experts; and PSS-02 ¶ 2 Bullet 3 The procedures for identifying such vulnerabilities also include annual code reviews or security penetration tests by qualified external third parties. PSS-02 ¶ 4] | Systems design, build, and implementation | Detective | |
| Conduct a risk assessment to determine operational risks as a part of the acquisition feasibility study. CC ID 01135 [In procurement, products are preferred which have been certified according to the "Common Criteria for Information Technology Security Evaluation" (short: Common Criteria – CC) according Evaluation Assurance Level EAL 4. If non-certified products are to be procured for available certified products, a risk assessment is carried out in accordance with OIS-07. DEV-01 ¶ 3] | Acquisition or sale of facilities, technology, and services | Detective | |
| Test new software or upgraded software for security vulnerabilities. CC ID 01898 [The Cloud Service Provider applies appropriate measures to check the cloud service for vulnerabilities which might have been integrated into the cloud service during the software development process. PSS-02 ¶ 1 The procedures for identifying such vulnerabilities are part of the software development process and, depending on a risk assessment, include the following activities: Static Application Security Testing; PSS-02 ¶ 2 Bullet 1 The procedures for identifying such vulnerabilities are part of the software development process and, depending on a risk assessment, include the following activities: Dynamic Application Security Testing; PSS-02 ¶ 2 Bullet 2] | Acquisition or sale of facilities, technology, and services | Detective | |
| Refrain from storing data elements containing payment card full magnetic stripe data. CC ID 04757 | Privacy protection for information and data | Detective | |
| Implement physical controls to protect personal data. CC ID 00355 | Privacy protection for information and data | Preventive | |
| Conduct personal data risk assessments. CC ID 00357 | Privacy protection for information and data | Detective | |
| Conduct internal data processing audits. CC ID 00374 | Privacy protection for information and data | Detective | |
| Record restricted data correctly. CC ID 00089 | Privacy protection for information and data | Detective | |
| Compare the photograph on the customer's identification card or badge with the customer's physical appearance. CC ID 04861 | Privacy protection for information and data | Detective | |
| Test the exit plan, as necessary. CC ID 15495 | Third Party and supply chain oversight | Preventive | |
| Include third party acknowledgment of their data protection responsibilities in third party contracts. CC ID 01364 [Policies and instructions for controlling and monitoring third parties (e.g. service providers or suppliers) whose services contribute to the provision of the cloud service are documented, communicated and provided in accordance with SP-01 with respect to the following aspects: Information security requirements for the processing, storage or transmission of information by third parties based on recognised industry standards; SSO-01 ¶ 1 Bullet 3] | Third Party and supply chain oversight | Detective | |
| Include auditing third party security controls and compliance controls in third party contracts. CC ID 01366 [{independent audit report} {internal control system} The reports include the complementary subservice organisations that are required, together with the controls of the Cloud Service Provider, to meet the applicable basic criteria of BSI C5 with reasonable assurance. SSO-01 ¶ 3] | Third Party and supply chain oversight | Detective | |
| Perform risk assessments of third parties, as necessary. CC ID 06454 [Service providers and suppliers of the Cloud Service Provider undergo a risk assessment in accordance with the policies and instructions for the control and monitoring of third parties prior to contributing to the delivery of the cloud service. The adequacy of the risk assessment is reviewed regularly, at least annually, by qualified personnel of the Cloud Service Provider during service usage. SSO-02 ¶ 1 The frequency of the monitoring corresponds to the classification of the third party based on the risk assessment conducted by the Cloud Service Provider (cf. SSO-02). The results of the monitoring are included in the review of the third party's risk assessment. SSO-04 ¶ 3] | Third Party and supply chain oversight | Detective | |
Training | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Include coordination and interfaces among third parties in continuity plan training. CC ID 17102 | Operational and Systems Continuity | Preventive | |
| Include cross-team coordination in continuity plan training. CC ID 16235 | Operational and Systems Continuity | Preventive | |
| Include stay at home order training in the continuity plan training. CC ID 14382 | Operational and Systems Continuity | Preventive | |
| Include avoiding unnecessary travel in the stay at home order training. CC ID 14388 | Operational and Systems Continuity | Preventive | |
| Include personal protection in continuity plan training. CC ID 14394 | Operational and Systems Continuity | Preventive | |
| Provide new hires limited network access to complete computer-based training. CC ID 17008 | Human Resources management | Preventive | |
| Submit applications for professional certification. CC ID 16192 | Human Resources management | Preventive | |
| Approve training plans, as necessary. CC ID 17193 | Human Resources management | Preventive | |
| Train personnel to recognize conditions of diseases or sicknesses, as necessary. CC ID 14383 | Human Resources management | Detective | |
| Include prevention techniques in training regarding diseases or sicknesses. CC ID 14387 | Human Resources management | Preventive | |
| Include the concept of disease clusters when training to recognize conditions of diseases or sicknesses. CC ID 14386 | Human Resources management | Preventive | |
| Train personnel to identify and communicate symptoms of exposure to disease or sickness. CC ID 14385 | Human Resources management | Detective | |
| Establish, implement, and maintain a list of tasks to include in the training plan. CC ID 17101 | Human Resources management | Preventive | |
| Designate training facilities in the training plan. CC ID 16200 | Human Resources management | Preventive | |
| Include insider threats in the security awareness program. CC ID 16963 | Human Resources management | Preventive | |
| Conduct personal data processing training. CC ID 13757 | Human Resources management | Preventive | |
| Include in personal data processing training how to provide the contact information for the categories of personal data the organization may disclose. CC ID 13758 | Human Resources management | Preventive | |
| Include cloud security in the security awareness program. CC ID 13039 [The Cloud Service Provider operates a target group-oriented security awareness and training program, which is completed by all internal and external employees of the Cloud Service Provider on a regular basis. The program is regularly updated based on changes to policies and instructions and the current threat situation and includes the following aspects: Handling system components used to provide the cloud service in the production environment in accordance with applicable policies and procedures; HR-03 ¶ 1 Bullet 1] | Human Resources management | Preventive | |
| Complete security awareness training prior to being granted access to information systems or data. CC ID 17009 | Human Resources management | Preventive | |
| Include media protection in the security awareness program. CC ID 16368 | Human Resources management | Preventive | |
| Include identity and access management in the security awareness program. CC ID 17013 | Human Resources management | Preventive | |
| Include the encryption process in the security awareness program. CC ID 17014 | Human Resources management | Preventive | |
| Include physical security in the security awareness program. CC ID 16369 | Human Resources management | Preventive | |
| Include data management in the security awareness program. CC ID 17010 [The Cloud Service Provider operates a target group-oriented security awareness and training program, which is completed by all internal and external employees of the Cloud Service Provider on a regular basis. The program is regularly updated based on changes to policies and instructions and the current threat situation and includes the following aspects: Handling cloud customer data in accordance with applicable policies and instructions and applicable legal and regulatory requirements; HR-03 ¶ 1 Bullet 2] | Human Resources management | Preventive | |
| Include e-mail and electronic messaging in the security awareness program. CC ID 17012 | Human Resources management | Preventive | |
| Include updates on emerging issues in the security awareness program. CC ID 13184 [The Cloud Service Provider operates a target group-oriented security awareness and training program, which is completed by all internal and external employees of the Cloud Service Provider on a regular basis. The program is regularly updated based on changes to policies and instructions and the current threat situation and includes the following aspects: Information about the current threat situation; and HR-03 ¶ 1 Bullet 3 The Cloud Service Provider operates a target group-oriented security awareness and training program, which is completed by all internal and external employees of the Cloud Service Provider on a regular basis. The program is regularly updated based on changes to policies and instructions and the current threat situation and includes the following aspects: HR-03 ¶ 1] | Human Resources management | Preventive | |
| Include cybersecurity in the security awareness program. CC ID 13183 | Human Resources management | Preventive | |
| Include implications of non-compliance in the security awareness program. CC ID 16425 | Human Resources management | Preventive | |
| Include social networking in the security awareness program. CC ID 17011 | Human Resources management | Preventive | |
| Include the acceptable use policy in the security awareness program. CC ID 15487 | Human Resources management | Preventive | |
| Train all personnel and third parties on how to recognize and report system failures. CC ID 13475 | Human Resources management | Preventive | |
Common Controls andThere are three types of Common Control classifications; corrective, detective, and preventive. Common Controls at the top level have the default assignment of Impact Zone.
Corrective | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Correct errors and deficiencies in a timely manner. CC ID 13501 [Ensure proper and regular operation, including appropriate measures for planning and monitoring capacity, protection against malware, logging and monitoring events, and dealing with vulnerabilities, malfunctions and failures. Section 5.6 Objective The execution of data backups is monitored by technical and organisational measures. Malfunctions are investigated by qualified staff and rectified promptly to ensure compliance with contractual obligations to cloud customers or the Cloud Service Provider's business requirements regarding the scope and frequency of data backup and the duration of storage. OPS-07 ¶ 1 The Cloud Service Provider validates the functionality of the SDN functions before providing new SDN features to cloud users or modifying existing SDN features. Identified defects are assessed and corrected in a risk-oriented manner. PSS-10 ¶ 2] | Leadership and high level objectives | Business Processes | |
| Include management's assertions on the effectiveness of internal control in the Statement on Internal Control. CC ID 14771 [For an attestation engagement, the Cloud Service Provider's service-related system of internal control to meet the C5 criteria shall include the following minimum content in order to provide customers with sufficient transparency about the information security of the cloud service: Information on the general conditions of the cloud service in accordance with the criteria in Section 5 this criteria catalogue, which enable potential customers of the Cloud Service Provider to assess its suitability for their use case; Section 3.4.4.1 ¶ 1 Bullet 3] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Report errors and faults to the appropriate personnel, as necessary. CC ID 14296 [Interfaces and dependencies between cloud service delivery activities performed by the Cloud Service Provider and activities performed by third parties are documented and communicated. This includes dealing with the following events: Malfunctions. OIS-03 ¶ 1 Bullet 3 Deviations from the specifications are reported to the responsible personnel or system components so that these can promptly assess the deviations and initiate the necessary actions. OPS-08 ¶ 2 System components in the Cloud Service Provider's area of responsibility are automatically monitored for compliance with hardening specifications. Deviations from the specifications are automatically reported to the appropriate departments of the Cloud Service Provider for immediate assessment and action. OPS-23 ¶ 3 {automate} Identified violations and discrepancies are automatically reported to the responsible personnel or system components of the Cloud Service Provider for prompt assessment and action. SSO-04 ¶ 6 At startup and runtime of virtual machine or container images, an integrity check is performed that detects image manipulations and reports them to the cloud customer. PSS-11 ¶ 2] | Monitoring and measurement | Communicate | |
| Provide predefined suspicious activity reports for suspicious activity discovered in the event log. CC ID 06774 [Activities of users with privileged access rights are logged in order to detect any misuse of privileged access in suspicious cases. The logged information is automatically monitored for defined events that may indicate misuse. When such an event is identified, the responsible personnel are automatically informed so that they can promptly assess whether misuse has occurred and take corresponding action. In the event of proven misuse of privileged access rights, disciplinary measures are taken in accordance with HR-04. IDM-06 ¶ 3] | Monitoring and measurement | Establish/Maintain Documentation | |
| Erase payment applications when suspicious activity is confirmed. CC ID 12193 | Monitoring and measurement | Technical Security | |
| Remove dedicated user accounts after penetration testing is concluded. CC ID 13729 | Monitoring and measurement | Testing | |
| Update the vulnerability scanners' vulnerability list. CC ID 10634 [The Cloud Service Provider operates or refers to a daily updated online register of known vulnerabilities that affect the Cloud Service Provider and assets provided by the Cloud Service Provider that the cloud customers have to install, provide or operate themselves under the customers responsibility PSS-03 ¶ 1 The type and scope of the information provided will be based on the needs of subject matter experts of the cloud customers who set information security requirements, implement them or verify the implementation (e.g. IT, Compliance, Internal Audit). The information in the guidelines and recommendations for the secure use of the cloud service address the following aspects, where applicable to the cloud service: Information sources on known vulnerabilities and update mechanisms; PSS-01 ¶ 2 Bullet 2] | Monitoring and measurement | Configuration | |
| Notify the interested personnel and affected parties after the failure of an automated security test. CC ID 06748 | Monitoring and measurement | Behavior | |
| Perform vulnerability assessments, as necessary. CC ID 11828 [System components in the area of responsibility of the Cloud Service Provider for the provision of the cloud service are automatically checked for known vulnerabilities at least once a month in accordance with the policies for handling vulnerabilities (cf. OPS-18), the severity is assessed in accordance with defined criteria and measures for timely remediation or mitigation are initiated within defined time windows. OPS-22 ¶ 1 The severity of the errors and vulnerabilities identified in the tests, which are relevant for the deployment decision, is determined according to defined criteria and actions for timely remediation or mitigation are initiated. DEV-06 ¶ 3 Identified vulnerabilities and deviations are subject to risk assessment in accordance with the risk management procedure (cf. OIS-06) and follow-up measures are defined and tracked (cf. OPS-18). COM-03 ¶ 2 The severity of identified vulnerabilities is assessed according to defined criteria and measures are taken to immediately eliminate or mitigate them. PSS-02 ¶ 3 The Cloud Service Provider validates the functionality of the authorisation mechanisms before new functions are made available to cloud users and in the event of changes to the authorisation mechanisms of existing functions (cf. DEV-06). The severity of identified vulnerabilities is assessed according to defined criteria based on industry standard metrics (e.g. Common Vulnerability Scoring System) and measures for timely resolution or mitigation are initiated. Vulnerabilities that have not been fixed are listed in the online register of known vulnerabilities (cf. PSS-02) PSS-09 ¶ 2] | Monitoring and measurement | Technical Security | |
| Recommend mitigation techniques based on vulnerability scan reports. CC ID 11639 [{not been implemented} Guidelines and instructions with technical and organisational measures are documented, communicated and provided in accordance with SP-01 to ensure the timely identification and addressing of vulnerabilities in the system components used to provide the cloud service. These guidelines and instructions contain specifications regarding the following aspects: Handling of system components for which no measures are initiated for the timely remediation or mitigation of vulnerabilities. OPS-18 ¶ 1 Bullet 4 Identified vulnerabilities and deviations are subject to risk assessment in accordance with the risk management procedure (cf. OIS-06) and follow-up measures are defined and tracked (cf. OPS-18). COM-03 ¶ 2 {vulnerabilities} {assets} The online register is easily accessible to any cloud customer. The information contained therein forms a suitable basis for risk assessment and possible follow-up measures on the part of cloud users. PSS-03 ¶ 3] | Monitoring and measurement | Technical Security | |
| Disallow the use of payment applications when a vulnerability scan report indicates vulnerabilities are present. CC ID 12188 | Monitoring and measurement | Configuration | |
| Recommend mitigation techniques based on penetration test results. CC ID 04881 [{criticality level} For findings with medium or high criticality regarding the confidentiality, integrity or availability of the cloud service, actions must be taken within defined time windows for prompt remediation or mitigation. OPS-19 ¶ 3 The Cloud Service Provider assess the severity of the findings made in penetration tests according to defined criteria. OPS-19 ¶ 2] | Monitoring and measurement | Establish/Maintain Documentation | |
| Correct or mitigate vulnerabilities. CC ID 12497 [Ensure proper and regular operation, including appropriate measures for planning and monitoring capacity, protection against malware, logging and monitoring events, and dealing with vulnerabilities, malfunctions and failures. Section 5.6 Objective System components in the area of responsibility of the Cloud Service Provider for the provision of the cloud service are automatically checked for known vulnerabilities at least once a month in accordance with the policies for handling vulnerabilities (cf. OPS-18), the severity is assessed in accordance with defined criteria and measures for timely remediation or mitigation are initiated within defined time windows. OPS-22 ¶ 1 Access rights of internal and external employees of the Cloud Service Provider as well as of system components that play a role in automated authorisation processes of the Cloud Service Provider are reviewed at least once a year to ensure that they still correspond to the actual area of use. The review is carried out by authorised persons from the Cloud Service Provider's organisational units, who can assess the appropriateness of the assigned access rights based on their knowledge of the task areas of the employees or system components. Identified deviations will be dealt with promptly, but no later than 7 days after their detection, by appropriate modification or withdrawal of the access rights. IDM-05 ¶ 1 The severity of the errors and vulnerabilities identified in the tests, which are relevant for the deployment decision, is determined according to defined criteria and actions for timely remediation or mitigation are initiated. DEV-06 ¶ 3 The severity of identified vulnerabilities is assessed according to defined criteria and measures are taken to immediately eliminate or mitigate them. PSS-02 ¶ 3 The Cloud Service Provider validates the functionality of the authorisation mechanisms before new functions are made available to cloud users and in the event of changes to the authorisation mechanisms of existing functions (cf. DEV-06). The severity of identified vulnerabilities is assessed according to defined criteria based on industry standard metrics (e.g. Common Vulnerability Scoring System) and measures for timely resolution or mitigation are initiated. Vulnerabilities that have not been fixed are listed in the online register of known vulnerabilities (cf. PSS-02) PSS-09 ¶ 2] | Monitoring and measurement | Technical Security | |
| Establish, implement, and maintain an exception management process for vulnerabilities that cannot be remediated. CC ID 13859 | Monitoring and measurement | Technical Security | |
| Correct compliance violations. CC ID 13515 | Monitoring and measurement | Process or Activity | |
| Carry out disciplinary actions when a compliance violation is detected. CC ID 06675 [In the event of violations of policies and instructions or applicable legal and regulatory requirements, actions are taken in accordance with a defined policy that includes the following aspects: HR-04 ¶ 1 Activities of users with privileged access rights are logged in order to detect any misuse of privileged access in suspicious cases. The logged information is automatically monitored for defined events that may indicate misuse. When such an event is identified, the responsible personnel are automatically informed so that they can promptly assess whether misuse has occurred and take corresponding action. In the event of proven misuse of privileged access rights, disciplinary measures are taken in accordance with HR-04. IDM-06 ¶ 3] | Monitoring and measurement | Behavior | |
| Refrain from changing the date of the practitioner's report on agreed-upon procedures when reissuing it. CC ID 13896 | Audits and risk management | Establish/Maintain Documentation | |
| Withdraw from the audit, when defined conditions exist. CC ID 13885 | Audits and risk management | Process or Activity | |
| Include deficiencies and non-compliance in the audit report. CC ID 14879 [Irrespective of the assessment as to whether a deviation leads to a qualified opinion, further information should be presented in the audit report. This information is intended to enable report recipients to assess whether the Cloud Service Provider is taking appropriate actions to handle errors and optimise its policies, procedures and actions. The following additional information from the Cloud Service Provider shall be included in the audit report: If the deviation was detected by the Cloud Service Provider itself, when and in the course of which measures the deviation was detected. Section 3.4.7 ¶ 2 Bullet 1 Irrespective of the assessment as to whether a deviation leads to a qualified opinion, further information should be presented in the audit report. This information is intended to enable report recipients to assess whether the Cloud Service Provider is taking appropriate actions to handle errors and optimise its policies, procedures and actions. The following additional information from the Cloud Service Provider shall be included in the audit report: Section 3.4.7 ¶ 2 Irrespective of the assessment as to whether a deviation leads to a qualified opinion, further information should be presented in the audit report. This information is intended to enable report recipients to assess whether the Cloud Service Provider is taking appropriate actions to handle errors and optimise its policies, procedures and actions. The following additional information from the Cloud Service Provider shall be included in the audit report: If the deviation was already stated in a report of a previous audit, an indication should be given of when and by what means the deviation was detected, together with a separate indication that the detection occurred in a previous audit period. This requires that the auditor has access to prior reports from the Cloud Service Provider. In case of doubt, the auditor shall have the inspection of these reports separately assured in his engagement letter. Section 3.4.7 ¶ 2 Bullet 2] | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of the reasons for modifying the audit opinion in the audit report. CC ID 13898 | Audits and risk management | Establish/Maintain Documentation | |
| Disclaim the audit opinion in the audit report, as necessary. CC ID 13901 | Audits and risk management | Business Processes | |
| Modify the audit opinion in the audit report under defined conditions. CC ID 13937 | Audits and risk management | Establish/Maintain Documentation | |
| Implement a corrective action plan in response to the audit report. CC ID 06777 [If the specified period ends in a period which is up to three months before February 15, 2021, the Cloud Service Provider shall provide additional information in the system description regarding the necessary changes to its service-related internal control system which have not been completed. The details should include what measures are to be completed or effectively implemented. In the case of a direct engagement, the auditor shall obtain and disclose this information. Section 3.5 ¶ 5] | Audits and risk management | Establish/Maintain Documentation | |
| Monitor and report on the status of mitigation actions in the corrective action plan. CC ID 15250 [Irrespective of the assessment as to whether a deviation leads to a qualified opinion, further information should be presented in the audit report. This information is intended to enable report recipients to assess whether the Cloud Service Provider is taking appropriate actions to handle errors and optimise its policies, procedures and actions. The following additional information from the Cloud Service Provider shall be included in the audit report: The measures to be taken to remedy the deviation in the future and when these measures are likely to be completed or effectively implemented. Section 3.4.7 ¶ 2 Bullet 3] | Audits and risk management | Actionable Reports or Measurements | |
| Purchase insurance on behalf of interested personnel and affected parties. CC ID 16571 | Audits and risk management | Acquisition/Sale of Assets or Services | |
| Document and communicate a corrective action plan based on the risk assessment findings. CC ID 00705 [{confidentiality} {authentication information} Deviations are evaluated by means of a risk analysis and mitigating measures derived from this are implemented. IDM-08 ¶ 2] | Audits and risk management | Establish/Maintain Documentation | |
| Document residual risk in a residual risk report. CC ID 13664 | Audits and risk management | Establish/Maintain Documentation | |
| Address and remediate external requirements for customer access. CC ID 12737 | Technical security | Technical Security | |
| Notify the user when an authentication is attempted using an expired authenticator. CC ID 13818 | Technical security | Communicate | |
| Review and update accounts and access rights when notified of personnel status changes. CC ID 00788 [Access rights are promptly revoked if the job responsibilities of the Cloud Service Provider's internal or external staff or the tasks of system components involved in the Cloud Service Provider's automated authorisation processes change. Privileged access rights are adjusted or revoked within 48 hours after the change taking effect. All other access rights are adjusted or revoked within 14 days. After revocation, the procedure for granting user accounts and access rights (cf. IDM-02) must be repeated. IDM-04 ¶ 1 Access rights are promptly revoked if the job responsibilities of the Cloud Service Provider's internal or external staff or the tasks of system components involved in the Cloud Service Provider's automated authorisation processes change. Privileged access rights are adjusted or revoked within 48 hours after the change taking effect. All other access rights are adjusted or revoked within 14 days. After revocation, the procedure for granting user accounts and access rights (cf. IDM-02) must be repeated. IDM-04 ¶ 1 A role and rights concept based on the business and security requirements of the Cloud Service Provider as well as a policy for managing user accounts and access rights for internal and external employees of the Cloud Service Provider and system components that have a role in automated authorisation processes of the Cloud Service Provider are documented, communicated and made available according to SP-01: Time-based or event-driven removal or adjustment of access rights in the event of changes to job responsibility; IDM-01 ¶ 1 Bullet 8] | Technical security | Behavior | |
| Remove inactive user accounts, as necessary. CC ID 00517 [{automated} The requirements for the access control system are documented, communicated and provided in a policy or concept in accordance with SP-01 and include the following aspects: Automatic revocation of access authorisations if they have not been used for a period of 2 month; PS-04 ¶ 3 Bullet 2 {automated} The requirements for the access control system are documented, communicated and provided in a policy or concept in accordance with SP-01 and include the following aspects: Automatic withdrawal of access authorisations if they have not been used for a period of 6 months; PS-04 ¶ 3 Bullet 3 A role and rights concept based on the business and security requirements of the Cloud Service Provider as well as a policy for managing user accounts and access rights for internal and external employees of the Cloud Service Provider and system components that have a role in automated authorisation processes of the Cloud Service Provider are documented, communicated and made available according to SP-01: Blocking and removing access accounts in the event of inactivity; IDM-01 ¶ 1 Bullet 7 Locked user accounts are automatically revoked after six months. After revocation, the procedure for granting user accounts and access rights (cf. IDM-02) must be repeated. IDM-03 ¶ 2] | Technical security | Technical Security | |
| Implement out-of-band authentication, as necessary. CC ID 10606 [{authentication factor} The cloud service offers out-of-band authentication (OOB), in which the factors are transmitted via different channels (e.g. Internet and mobile network). PSS-05 ¶ 4] | Technical security | Technical Security | |
| Disseminate and communicate the access control procedures to all interested personnel and affected parties. CC ID 14123 [The requirements for the access control system are documented, communicated and provided in a policy or concept in accordance with SP-01 and include the following aspects: PS-04 ¶ 3] | Technical security | Communicate | |
| Revoke membership in the allowlist, as necessary. CC ID 13827 | Technical security | Establish/Maintain Documentation | |
| Revoke old cryptographic keys or invalid cryptographic keys immediately. CC ID 01307 [Policies and instructions with technical and organisational safeguards for encryption procedures and key management are documented, communicated and provided according to SP-01, in which the following aspects are described: Requirements for the secure generation, storage, archiving, retrieval, distribution, withdrawal and deletion of the keys; and CRY-01 ¶ 1 Bullet 3] | Technical security | Data and Information Management | |
| Remove malware when malicious code is discovered. CC ID 13691 | Technical security | Process or Activity | |
| Notify interested personnel and affected parties when malware is detected. CC ID 13689 | Technical security | Communicate | |
| Remove data remnants in terminated Virtual Machines. CC ID 12168 | Technical security | Technical Security | |
| Document all lost badges in a lost badge list. CC ID 12448 | Physical and environmental protection | Establish/Maintain Documentation | |
| Remote lock any distributed assets reported lost or stolen. CC ID 14008 | Physical and environmental protection | Technical Security | |
| Remote wipe any distributed asset reported lost or stolen. CC ID 12197 | Physical and environmental protection | Process or Activity | |
| Remove dormant systems from the network, as necessary. CC ID 13727 | Physical and environmental protection | Process or Activity | |
| Restore systems and environments to be operational. CC ID 13476 [Policies and instructions for data backup and recovery are documented, communicated and provided in accordance with SP-01 regarding the following aspects. Access to the backed-up data and the execution of restores is performed only by authorised persons; and OPS-06 ¶ 1 Bullet 3] | Operational and Systems Continuity | Systems Continuity | |
| Establish, implement, and maintain the continuity procedures. CC ID 14236 [Plan, implement, maintain and test procedures and measures for business continuity and emergency management. Section 5.14 Objective The top management (or a member of the top management) of the Cloud Service Provider is named as the process owner of business continuity and emergency management and is responsible for establishing the process within the company as well as ensuring compliance with the guidelines. They must ensure that sufficient resources are made available for an effective process. BCM-01 ¶ 1 {take into account} {manual mechanism} Business continuity plans and contingency plans take the following aspects into account: Recovery procedures, manual interim solutions and reference information (taking into account prioritisation in the recovery of cloud infrastructure components and services and alignment with customers); BCM-03 ¶ 2 Bullet 5] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Reconfigure restored systems to meet the Recovery Point Objectives. CC ID 01256 | Operational and Systems Continuity | Configuration | |
| Terminate access rights when notified of a personnel status change or an individual is terminated. CC ID 11826 [Access rights are promptly revoked if the job responsibilities of the Cloud Service Provider's internal or external staff or the tasks of system components involved in the Cloud Service Provider's automated authorisation processes change. Privileged access rights are adjusted or revoked within 48 hours after the change taking effect. All other access rights are adjusted or revoked within 14 days. After revocation, the procedure for granting user accounts and access rights (cf. IDM-02) must be repeated. IDM-04 ¶ 1] | Human Resources management | Technical Security | |
| Conduct secure coding and development training for developers. CC ID 06822 [The Cloud Service Provider provides a training program for regular, target group-oriented security training and awareness for internal and external employees on standards and methods of secure software development and provision as well as on how to use the tools used for this purpose. The program is regularly reviewed and updated with regard to the applicable policies and instructions, the assigned roles and responsibilities and the tools used. DEV-04 ¶ 1] | Human Resources management | Behavior | |
| Implement a sanctions process for personnel who fail to comply to the organizational compliance program. CC ID 01442 [In the event of violations of policies and instructions or applicable legal and regulatory requirements, actions are taken in accordance with a defined policy that includes the following aspects: Consideration of the nature and severity of the violation and its impact. HR-04 ¶ 1 Bullet 2 In the event of violations of policies and instructions or applicable legal and regulatory requirements, actions are taken in accordance with a defined policy that includes the following aspects: Consideration of the nature and severity of the violation and its impact. HR-04 ¶ 1 Bullet 2] | Human Resources management | Behavior | |
| Establish, implement, and maintain consequences for non-compliance with the organizational compliance framework. CC ID 11747 [In contractual agreements (e.g. service description), the Cloud Service Provider provides comprehensible, binding and transparent information on: Legal consequences of non-compliance. BC-02 ¶ 1 Bullet 5] | Operational management | Process or Activity | |
| Refrain from protecting physical assets when no longer required. CC ID 13484 | Operational management | Physical and Environmental Protection | |
| Escalate incidents, as necessary. CC ID 14861 | Operational management | Monitor and Evaluate Occurrences | |
| Include support from law enforcement authorities when conducting incident response activities, as necessary. CC ID 13197 | Operational management | Process or Activity | |
| Coordinate incident response activities with interested personnel and affected parties. CC ID 13196 [The Cloud Service Provider periodically informs the cloud customer on the status of incidents affecting the cloud customer, or, where appropriate and necessary, involve the customer in the resolution, in a manner consistent with the contractual agreements. OPS-21 ¶ 1 {incident response report} The customer can either actively approve solutions or the solution is automatically approved after a certain period. SIM-03 ¶ 2 The Cloud Service Provider defines guidelines for the classification, prioritisation and escalation of security incidents and creates interfaces to the incident management and business continuity management. SIM-01 ¶ 2] | Operational management | Process or Activity | |
| Wipe data and memory after an incident has been detected. CC ID 16850 | Operational management | Technical Security | |
| Assess all incidents to determine what information was accessed. CC ID 01226 [Identified violations and deviations are subjected to analysis, evaluation and treatment in accordance with the risk management procedure (cf. OIS-07). SSO-04 ¶ 4 Ensure a consistent and comprehensive approach to the capture, assessment, communication and escalation of security incidents. Section 5.13 Objective] | Operational management | Testing | |
| Share incident information with interested personnel and affected parties. CC ID 01212 [The Cloud Service Provider periodically informs the cloud customer on the status of incidents affecting the cloud customer, or, where appropriate and necessary, involve the customer in the resolution, in a manner consistent with the contractual agreements. OPS-21 ¶ 1 Identified events are automatically reported to the appropriate departments for prompt evaluation and action. OPS-13 ¶ 2 Information on security incidents or confirmed security breaches is made available to all affected customers. SIM-03 ¶ 3 Ensure a consistent and comprehensive approach to the capture, assessment, communication and escalation of security incidents. Section 5.13 Objective] | Operational management | Data and Information Management | |
| Notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00365 [Customers affected by security incidents are informed in a timely and appropriate manner. SIM-01 ¶ 4] | Operational management | Behavior | |
| Establish, implement, and maintain incident response notifications. CC ID 12975 [{take into account} Business continuity plans and contingency plans take the following aspects into account: Defined communication channels, roles and responsibilities including notification of the customer; BCM-03 ¶ 2 Bullet 4] | Operational management | Establish/Maintain Documentation | |
| Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767 | Operational management | Communicate | |
| Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766 | Operational management | Business Processes | |
| Notify interested personnel and affected parties of the privacy breach about any recovered restricted data. CC ID 13347 | Operational management | Communicate | |
| Notify interested personnel and affected parties that a security breach was detected. CC ID 11788 [Information on security incidents or confirmed security breaches is made available to all affected customers. SIM-03 ¶ 3] | Operational management | Communicate | |
| Collect evidence from the incident scene. CC ID 02236 | Operational management | Business Processes | |
| Change the authenticator for shared accounts when the group membership changes. CC ID 14249 | System hardening through configuration management | Business Processes | |
| Review and update the security architecture, as necessary. CC ID 14277 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Disseminate and communicate critical security updates to users. CC ID 14942 [{time frame} For each vulnerability, it is indicated whether software updates (e.g. patch, update) are available, when they will be rolled out and whether they will be deployed by the Cloud Service Provider, the cloud customer or both of them together. PSS-03 ¶ 4 {time frame} For each vulnerability, it is indicated whether software updates (e.g. patch, update) are available, when they will be rolled out and whether they will be deployed by the Cloud Service Provider, the cloud customer or both of them together. PSS-03 ¶ 4] | Systems design, build, and implementation | Communicate | |
| Report fraudulent account activity, unauthorized transactions, or discrepancies with current accounts. CC ID 04875 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
| Take appropriate action when a data leakage is discovered. CC ID 14716 | Privacy protection for information and data | Process or Activity | |
| Terminate supplier relationships, as necessary. CC ID 13489 | Third Party and supply chain oversight | Business Processes | |
Detective | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Subscribe to a threat intelligence service to receive notification of emerging threats. CC ID 12135 [{information security organization} If the cloud service is used by public sector organisations in Germany, the Cloud Service Provider leverages contacts with the National IT Situation Centre and the CERT Association of the BSI. OIS-05 ¶ 2 The Cloud Service Provider leverages relevant authorities and interest groups in order to stay informed about current threats and vulnerabilities. The information flows into the procedures for handling risks (cf. OIS-06) and vulnerabilities (cf. OPS-19). OIS-05 ¶ 1] | Leadership and high level objectives | Technical Security | |
| Analyze organizational policies, as necessary. CC ID 14037 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include all compliance exceptions in the compliance exception standard. CC ID 01630 [The Cloud Service Provider has established procedures and technical safeguards to encrypt cloud customers' data during storage. The private keys used for encryption are known only to the cloud customer in accordance with applicable legal and regulatory obligations and requirements. Exceptions follow a specified procedure. The procedures for the use of private keys, including any exceptions, must be contractually agreed with the cloud customer. CRY-03 ¶ 1] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish and maintain a compliance oversight committee. CC ID 00765 | Leadership and high level objectives | Establish Roles | |
| Monitor the usage and capacity of critical assets. CC ID 14825 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Monitor the usage and capacity of Information Technology assets. CC ID 00668 [Ensure proper and regular operation, including appropriate measures for planning and monitoring capacity, protection against malware, logging and monitoring events, and dealing with vulnerabilities, malfunctions and failures. Section 5.6 Objective] | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Monitor systems for errors and faults. CC ID 04544 [The execution of data backups is monitored by technical and organisational measures. Malfunctions are investigated by qualified staff and rectified promptly to ensure compliance with contractual obligations to cloud customers or the Cloud Service Provider's business requirements regarding the scope and frequency of data backup and the duration of storage. OPS-07 ¶ 1 The Cloud Service Provider validates the functionality of the SDN functions before providing new SDN features to cloud users or modifying existing SDN features. Identified defects are assessed and corrected in a risk-oriented manner. PSS-10 ¶ 2] | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Establish, implement, and maintain monitoring and logging operations. CC ID 00637 [The Cloud Service Provider monitors the system components for logging and monitoring in its area of responsibility. Failures are automatically and promptly reported to the Cloud Service Provider's responsible departments so that these can assess the failures and take required action. OPS-17 ¶ 1 The requirements for the logging and monitoring of events and for the secure handling of metadata are implemented by technically supported procedures with regard to the following restrictions: OPS-12 ¶ 1] | Monitoring and measurement | Log Management | |
| Monitor and evaluate system telemetry data. CC ID 14929 | Monitoring and measurement | Actionable Reports or Measurements | |
| Monitor systems for inappropriate usage and other security violations. CC ID 00585 [If separation cannot be established for organisational or technical reasons, measures are in place to monitor the activities in order to detect unauthorised or unintended changes as well as misuse and to take appropriate actions. OIS-04 ¶ 3 Activities of users with privileged access rights are logged in order to detect any misuse of privileged access in suspicious cases. The logged information is automatically monitored for defined events that may indicate misuse. When such an event is identified, the responsible personnel are automatically informed so that they can promptly assess whether misuse has occurred and take corresponding action. In the event of proven misuse of privileged access rights, disciplinary measures are taken in accordance with HR-04. IDM-06 ¶ 3] | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Monitor systems for Denial of Service attacks. CC ID 01222 [Based on the results of a risk analysis carried out according to OIS-06, the Cloud Service Provider has implemented technical safeguards which are suitable to promptly detect and respond to network-based attacks on the basis of irregular incoming or outgoing traffic patterns and/ or Distributed Denial of Service (DDoS) attacks. Data from corresponding technical protection measures implemented is fed into a comprehensive SIEM (Security Information and Event Management) system, so that (counter) measures regarding correlating events can be initiated. The safeguards are documented, communicated and provided in accordance with SP-01. COS-01 ¶ 1] | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Detect unauthorized access to systems. CC ID 06798 [The security measures are designed to detect and prevent unauthorised access so that the information security of the cloud service is not compromised. PS-03 ¶ 2] | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Operationalize key monitoring and logging concepts to ensure the audit trails capture sufficient information. CC ID 00638 [{take into account} Logging and monitoring applications take the asset protection needs into account in order to inform the responsible stakeholder of events that could lead to a violation of the protection goals, so that the necessary measures are taken with an appropriate priority. Actions for events on assets with a higher level of protection take precedence over events on assets with a lower need for protection. AM-06 ¶ 3 Logging and monitoring applications take into account the information collected on the assets in order to identify the impact on cloud services and functions in case of events that could lead to a breach of protection objectives, and to support information provided to affected cloud customers in accordance with contractual agreements. AM-01 ¶ 4 Logging and monitoring applications take into account the information collected on the assets in order to identify the impact on cloud services and functions in case of events that could lead to a breach of protection objectives, and to support information provided to affected cloud customers in accordance with contractual agreements. AM-01 ¶ 4 Policies and instructions for planning and conducting audits are documented, communicated and made available in accordance with SP-01 and address the following aspects: Logging and monitoring of activities. COM-02 ¶ 1 Bullet 3] | Monitoring and measurement | Log Management | |
| Establish, implement, and maintain event logging procedures. CC ID 01335 [Ensure proper and regular operation, including appropriate measures for planning and monitoring capacity, protection against malware, logging and monitoring events, and dealing with vulnerabilities, malfunctions and failures. Section 5.6 Objective The Cloud Service Provider has established policies and instructions that govern the logging and monitoring of events on system components within its area of responsibility. These policies and instructions are documented, communicated and provided according to SP-01 with respect to the following aspects: Specifications for activating, stopping and pausing the various logs; OPS-10 ¶ 1 Bullet 2] | Monitoring and measurement | Log Management | |
| Review and update event logs and audit logs, as necessary. CC ID 00596 [The logging data is automatically monitored for events that may violate the protection goals in accordance with the logging and monitoring requirements. This also includes the detection of relationships between events (event correlation). OPS-13 ¶ 1 Based on the results of a risk analysis carried out according to OIS-06, the Cloud Service Provider has implemented technical safeguards which are suitable to promptly detect and respond to network-based attacks on the basis of irregular incoming or outgoing traffic patterns and/ or Distributed Denial of Service (DDoS) attacks. Data from corresponding technical protection measures implemented is fed into a comprehensive SIEM (Security Information and Event Management) system, so that (counter) measures regarding correlating events can be initiated. The safeguards are documented, communicated and provided in accordance with SP-01. COS-01 ¶ 1] | Monitoring and measurement | Log Management | |
| Correlate log entries to security controls to verify the security control's effectiveness. CC ID 13207 | Monitoring and measurement | Log Management | |
| Identify cybersecurity events in event logs and audit logs. CC ID 13206 [The logging data is automatically monitored for events that may violate the protection goals in accordance with the logging and monitoring requirements. This also includes the detection of relationships between events (event correlation). OPS-13 ¶ 1] | Monitoring and measurement | Technical Security | |
| Enable logging for all systems that meet a traceability criteria. CC ID 00640 [The Cloud Service Provider grants its cloud customers contractually guaranteed information and audit rights. COM-02 ¶ 2 The type and scope of the information provided will be based on the needs of subject matter experts of the cloud customers who set information security requirements, implement them or verify the implementation (e.g. IT, Compliance, Internal Audit). The information in the guidelines and recommendations for the secure use of the cloud service address the following aspects, where applicable to the cloud service: Error handling and logging mechanisms; PSS-01 ¶ 2 Bullet 3 The cloud service provided is equipped with error handling and logging mechanisms. These enable cloud users to obtain security-related information about the security status of the cloud service as well as the data, services or functions it provides. PSS-04 ¶ 1] | Monitoring and measurement | Log Management | |
| Monitor and evaluate system performance. CC ID 00651 [The procedures for monitoring compliance with the requirements are supplemented by automatic procedures relating to the following aspects: Performance and availability of system components; SSO-04 ¶ 5 Bullet 2] | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Monitor for and react to when suspicious activities are detected. CC ID 00586 [If separation cannot be established for organisational or technical reasons, measures are in place to monitor the activities in order to detect unauthorised or unintended changes as well as misuse and to take appropriate actions. OIS-04 ¶ 3 Based on the results of a risk analysis carried out according to OIS-06, the Cloud Service Provider has implemented technical safeguards which are suitable to promptly detect and respond to network-based attacks on the basis of irregular incoming or outgoing traffic patterns and/ or Distributed Denial of Service (DDoS) attacks. Data from corresponding technical protection measures implemented is fed into a comprehensive SIEM (Security Information and Event Management) system, so that (counter) measures regarding correlating events can be initiated. The safeguards are documented, communicated and provided in accordance with SP-01. COS-01 ¶ 1] | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Monitor and evaluate the effectiveness of detection tools. CC ID 13505 | Monitoring and measurement | Investigate | |
| Monitor and review retail payment activities, as necessary. CC ID 13541 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Determine if high rates of retail payment activities are from Originating Depository Financial Institutions. CC ID 13546 | Monitoring and measurement | Investigate | |
| Review retail payment service reports, as necessary. CC ID 13545 | Monitoring and measurement | Investigate | |
| Establish, implement, and maintain a continuous monitoring program for configuration management. CC ID 06757 [{malware} The configuration of the protection mechanisms is monitored automatically. Deviations from the specifications are automatically reported to the subject matter experts so that the deviations are immediately assessed and the necessary measures taken. OPS-05 ¶ 2 System components in the Cloud Service Provider's area of responsibility are automatically monitored for compliance with hardening specifications. Deviations from the specifications are automatically reported to the appropriate departments of the Cloud Service Provider for immediate assessment and action. OPS-23 ¶ 3 The procedures for monitoring compliance with the requirements are supplemented by automatic procedures relating to the following aspects: Configuration of system components; SSO-04 ¶ 5 Bullet 1 {security-related information} The information is detailed enough to allow cloud users to check the following aspects, insofar as they are applicable to the cloud service: Changes to security-relevant configuration parameters, error handling and logging mechanisms, user authentication, action authorisation, cryptography, and communication security. PSS-04 ¶ 2 Bullet 3] | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the correlation and analysis of information obtained during testing in the continuous monitoring program. CC ID 14250 | Monitoring and measurement | Process or Activity | |
| Implement file integrity monitoring. CC ID 01205 [At startup and runtime of virtual machine or container images, an integrity check is performed that detects image manipulations and reports them to the cloud customer. PSS-11 ¶ 2] | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Log account usage times. CC ID 07099 | Monitoring and measurement | Log Management | |
| Log account usage durations. CC ID 12117 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Report inappropriate usage of user accounts to the appropriate personnel. CC ID 14243 | Monitoring and measurement | Communicate | |
| Conduct Red Team exercises, as necessary. CC ID 12131 | Monitoring and measurement | Technical Security | |
| Test in scope systems for segregation of duties, as necessary. CC ID 13906 [Policies and instructions with technical and organisational safeguards for change management of system components of the cloud service within the scope of software deployment are documented, communicated and provided according to SP-01 with regard to the following aspects: Requirements for segregation of duties during development, testing and release of changes; DEV-03 ¶ 1 Bullet 3] | Monitoring and measurement | Testing | |
| Identify risk management measures when testing in scope systems. CC ID 14960 | Monitoring and measurement | Process or Activity | |
| Perform conformity assessments, as necessary. CC ID 15095 | Monitoring and measurement | Testing | |
| Establish, implement, and maintain a port scan baseline for all in scope systems. CC ID 12134 | Monitoring and measurement | Technical Security | |
| Use dedicated user accounts when conducting penetration testing. CC ID 13728 | Monitoring and measurement | Testing | |
| Perform penetration tests, as necessary. CC ID 00655 [The Cloud Service Provider has penetration tests carried out by qualified internal personnel or external service providers at least once a year. The penetration tests are carried out according to a documented test methodology and include the system components relevant to the provision of the cloud service in the area of responsibility of the Cloud Service Provider, which have been identified as such in a risk analysis. OPS-19 ¶ 1 The Cloud Service Provider has penetration tests carried out by qualified internal personnel or external service providers at least once a year. The penetration tests are carried out according to a documented test methodology and include the system components relevant to the provision of the cloud service in the area of responsibility of the Cloud Service Provider, which have been identified as such in a risk analysis. OPS-19 ¶ 1 The tests are carried out every six months. They must always be performed by independent external auditors. Internal personnel for penetration tests may support the external service providers. OPS-19 ¶ 4] | Monitoring and measurement | Testing | |
| Include coverage of all in scope systems during penetration testing. CC ID 11957 [The Cloud Service Provider has penetration tests carried out by qualified internal personnel or external service providers at least once a year. The penetration tests are carried out according to a documented test methodology and include the system components relevant to the provision of the cloud service in the area of responsibility of the Cloud Service Provider, which have been identified as such in a risk analysis. OPS-19 ¶ 1] | Monitoring and measurement | Testing | |
| Perform vulnerability scans, as necessary. CC ID 11637 [System components in the area of responsibility of the Cloud Service Provider for the provision of the cloud service are automatically checked for known vulnerabilities at least once a month in accordance with the policies for handling vulnerabilities (cf. OPS-18), the severity is assessed in accordance with defined criteria and measures for timely remediation or mitigation are initiated within defined time windows. OPS-22 ¶ 1] | Monitoring and measurement | Technical Security | |
| Repeat vulnerability scanning, as necessary. CC ID 11646 | Monitoring and measurement | Testing | |
| Identify and document security vulnerabilities. CC ID 11857 [Guidelines and instructions with technical and organisational measures are documented, communicated and provided in accordance with SP-01 to ensure the timely identification and addressing of vulnerabilities in the system components used to provide the cloud service. These guidelines and instructions contain specifications regarding the following aspects: Regular identification of vulnerabilities; OPS-18 ¶ 1 Bullet 1 The type and scope of the information provided will be based on the needs of subject matter experts of the cloud customers who set information security requirements, implement them or verify the implementation (e.g. IT, Compliance, Internal Audit). The information in the guidelines and recommendations for the secure use of the cloud service address the following aspects, where applicable to the cloud service: Information sources on known vulnerabilities and update mechanisms; PSS-01 ¶ 2 Bullet 2 The Cloud Service Provider validates the functionality of the authorisation mechanisms before new functions are made available to cloud users and in the event of changes to the authorisation mechanisms of existing functions (cf. DEV-06). The severity of identified vulnerabilities is assessed according to defined criteria based on industry standard metrics (e.g. Common Vulnerability Scoring System) and measures for timely resolution or mitigation are initiated. Vulnerabilities that have not been fixed are listed in the online register of known vulnerabilities (cf. PSS-02) PSS-09 ¶ 2] | Monitoring and measurement | Technical Security | |
| Rank discovered vulnerabilities. CC ID 11940 [Guidelines and instructions with technical and organisational measures are documented, communicated and provided in accordance with SP-01 to ensure the timely identification and addressing of vulnerabilities in the system components used to provide the cloud service. These guidelines and instructions contain specifications regarding the following aspects: Assessment of the severity of identified vulnerabilities; OPS-18 ¶ 1 Bullet 2] | Monitoring and measurement | Investigate | |
| Assign vulnerability scanning to qualified personnel or external third parties. CC ID 11638 | Monitoring and measurement | Technical Security | |
| Correlate vulnerability scan reports from the various systems. CC ID 10636 | Monitoring and measurement | Technical Security | |
| Perform internal vulnerability scans, as necessary. CC ID 00656 | Monitoring and measurement | Testing | |
| Perform vulnerability scans prior to installing payment applications. CC ID 12192 | Monitoring and measurement | Technical Security | |
| Implement scanning tools, as necessary. CC ID 14282 | Monitoring and measurement | Technical Security | |
| Repeat vulnerability scanning after an approved change occurs. CC ID 12468 | Monitoring and measurement | Technical Security | |
| Perform external vulnerability scans, as necessary. CC ID 11624 | Monitoring and measurement | Technical Security | |
| Use automated mechanisms to compare new vulnerability scan reports with past vulnerability scan reports. CC ID 10635 | Monitoring and measurement | Technical Security | |
| Review applications for security vulnerabilities after the application is updated. CC ID 11938 | Monitoring and measurement | Technical Security | |
| Test the system for unvalidated input. CC ID 01318 | Monitoring and measurement | Testing | |
| Test the system for proper error handling. CC ID 01324 | Monitoring and measurement | Testing | |
| Test the system for insecure data storage. CC ID 01325 | Monitoring and measurement | Testing | |
| Test the system for access control enforcement in all Uniform Resource Locators. CC ID 06297 | Monitoring and measurement | Testing | |
| Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726 [The appropriate and effective verification of implementation is carried out in accordance with the criteria for controlling and monitoring subcontractors (cf. SSO-01, SSO-02). PS-01 ¶ 4 The Cloud Service Provider monitors compliance with information security requirements and applicable legal and regulatory requirements in accordance with policies and instructions concerning controlling and monitoring of third-parties. SSO-04 ¶ 1] | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Determine if requested services create a threat to independence. CC ID 16823 | Audits and risk management | Audits and Risk Management | |
| Determine the presentation method of the audit assertion's in scope system description. CC ID 14885 | Audits and risk management | Establish/Maintain Documentation | |
| Determine the appropriateness of the audit assertion's in scope system description. CC ID 16449 | Audits and risk management | Audits and Risk Management | |
| Confirm audit requirements during the opening meeting. CC ID 15255 | Audits and risk management | Audits and Risk Management | |
| Establish and maintain audit assertions, as necessary. CC ID 14871 | Audits and risk management | Establish/Maintain Documentation | |
| Refrain from performing an attestation engagement under defined conditions. CC ID 13952 | Audits and risk management | Audits and Risk Management | |
| Identify hypothetical assumptions in forecasts and projections during an audit. CC ID 13946 | Audits and risk management | Audits and Risk Management | |
| Refrain from examining forecasts and projections which refrain from disclosing assumptions during an audit. CC ID 13932 | Audits and risk management | Audits and Risk Management | |
| Audit cybersecurity risk management within the policies, standards, and procedures of the organization. CC ID 13011 | Audits and risk management | Investigate | |
| Audit the potential costs of compromise to information systems. CC ID 13012 | Audits and risk management | Investigate | |
| Investigate the nature and causes of misstatements in the audit assertion's in scope system description. CC ID 16557 | Audits and risk management | Audits and Risk Management | |
| Determine the effect of fraud and non-compliance on the description of the system in the audit assertion, as necessary. CC ID 13977 | Audits and risk management | Process or Activity | |
| Determine if the audit assertion's in scope controls are reasonable. CC ID 06980 [{in scope system description} In the written statement, management of the Cloud Service Provider confirms that: the controls stated in the description were suitably designed and implemented to meet the applicable C5 criteria as at a specified date (type 1 report) or throughout a specified period (type 2 report); and, Section 3.4.4.2 ¶ 1 Bullet 2] | Audits and risk management | Testing | |
| Determine the effect of fraud and non-compliance on the achievement of in scope controls in the audit assertion, as necessary. CC ID 13978 | Audits and risk management | Process or Activity | |
| Document test plans for auditing in scope controls. CC ID 06985 | Audits and risk management | Testing | |
| Determine the effectiveness of in scope controls. CC ID 06984 | Audits and risk management | Testing | |
| Review audit reports to determine the effectiveness of in scope controls. CC ID 12156 | Audits and risk management | Audits and Risk Management | |
| Interview stakeholders to determine the effectiveness of in scope controls. CC ID 12154 | Audits and risk management | Audits and Risk Management | |
| Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144 | Audits and risk management | Audits and Risk Management | |
| Evaluate personnel status changes to determine the effectiveness of in scope controls. CC ID 16556 | Audits and risk management | Audits and Risk Management | |
| Determine whether individuals performing a control have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 16555 [{security requirements} The policies and instructions describe at least the following aspects: Roles and responsibilities, including staff qualification requirements and the establishment of substitution rules; SP-01 ¶ 3 Bullet 3] | Audits and risk management | Audits and Risk Management | |
| Verify statements made by interviewees are correct. CC ID 16299 | Audits and risk management | Behavior | |
| Discuss unsolved questions with the interviewee. CC ID 16298 | Audits and risk management | Process or Activity | |
| Allow interviewee to respond to explanations. CC ID 16296 | Audits and risk management | Process or Activity | |
| Explain the requirements being discussed to the interviewee. CC ID 16294 | Audits and risk management | Process or Activity | |
| Review the subject matter expert's findings. CC ID 16559 | Audits and risk management | Audits and Risk Management | |
| Permit assessment teams to conduct audits, as necessary. CC ID 16430 | Audits and risk management | Investigate | |
| Determine what disclosures are required in the audit report. CC ID 14888 | Audits and risk management | Establish/Maintain Documentation | |
| Identify the audit team members in the audit report. CC ID 15259 [{independent audit report} Compliance with the qualification requirements shall be confirmed in the section "Independence and quality control of the auditor/auditing firm" of the independent auditor's report. Section 3.4.9 ¶ 6] | Audits and risk management | Human Resources Management | |
| Identify the participants from the organization being audited in the audit report. CC ID 15258 | Audits and risk management | Audits and Risk Management | |
| Determine the effect of deficiencies on the audit report, as necessary. CC ID 14886 | Audits and risk management | Investigate | |
| Determine the effect of fraud and non-compliance on the audit report, as necessary. CC ID 13979 | Audits and risk management | Process or Activity | |
| Assess the quality of the audit program in regards to the staff and their qualifications. CC ID 01150 [{independent audit report} The report on an attestation engagement includes the following elements: Independence and quality control of the auditor/auditing firm (including information on compliance with qualification requirements (cf. Section 3.4.9) Section 3.4.8 ¶ 2 1 (c) According to ISAE 3000 (Revised), the auditor must determine before accepting an engagement that the professional duties (for auditors in Germany § 43 WPO, German Law regulating the Profession of Wirtschaftsprüfer: Wirtschaftsprüferordnung), including the duty of independence, are complied with. Based on the auditor's knowledge of the subject matter, the auditor shall assess whether the members of the audit team entrusted with the engagement have the necessary competency and understanding of the industry as well as capabilities to perform the audit and whether sufficient experience with the relevant formal requirements is available or can be obtained. Section 3.4.9 ¶ 1] | Audits and risk management | Testing | |
| Evaluate the competency of auditors. CC ID 15253 | Audits and risk management | Human Resources Management | |
| Establish, implement, and maintain the audit plan. CC ID 01156 [Policies and instructions for planning and conducting audits are documented, communicated and made available in accordance with SP-01 and address the following aspects: COM-02 ¶ 1] | Audits and risk management | Testing | |
| Employ third parties when implementing a risk assessment, as necessary. CC ID 16306 | Audits and risk management | Human Resources Management | |
| Review the risk profiles, as necessary. CC ID 16561 | Audits and risk management | Audits and Risk Management | |
| Conduct external audits of risk assessments, as necessary. CC ID 13308 | Audits and risk management | Audits and Risk Management | |
| Evaluate the effectiveness of threat and vulnerability management procedures. CC ID 13491 [Identified vulnerabilities and deviations are subject to risk assessment in accordance with the risk management procedure (cf. OIS-06) and follow-up measures are defined and tracked (cf. OPS-18). COM-03 ¶ 2] | Audits and risk management | Investigate | |
| Conduct a Business Impact Analysis, as necessary. CC ID 01147 | Audits and risk management | Audits and Risk Management | |
| Assess the potential level of business impact risk associated with the loss of personnel. CC ID 17172 | Audits and risk management | Process or Activity | |
| Assess the potential level of business impact risk associated with individuals. CC ID 17170 | Audits and risk management | Process or Activity | |
| Assess the potential level of business impact risk associated with each business process. CC ID 06463 [Policies and instructions to determine the impact of any malfunction to the cloud service or enterprise are documented, communicated and made available in accordance with SP-01. The following aspects are considered as minimum: BCM-02 ¶ 1] | Audits and risk management | Audits and Risk Management | |
| Identify changes to in scope systems that could threaten communication between business units. CC ID 13173 | Audits and risk management | Investigate | |
| Assess the potential level of business impact risk associated with non-compliance. CC ID 17169 | Audits and risk management | Process or Activity | |
| Assess the potential business impact risk of in scope systems caused by deliberate threats to their confidentiality, integrity, and availability. CC ID 06466 [The risk assessment includes the identification, analysis, evaluation, handling and documentation of risks with regard to the following aspects: Protection needs regarding the confidentiality, integrity, availability and authenticity of information processed, stored or transmitted by the third party; SSO-02 ¶ 2 Bullet 1] | Audits and risk management | Audits and Risk Management | |
| Assess the potential level of business impact risk caused by accidental threats to the confidentiality, integrity and availability of critical systems. CC ID 06467 [Policies and instructions to determine the impact of any malfunction to the cloud service or enterprise are documented, communicated and made available in accordance with SP-01. The following aspects are considered as minimum: Identification of critical products and services; BCM-02 ¶ 1 Bullet 2 Policies and instructions to determine the impact of any malfunction to the cloud service or enterprise are documented, communicated and made available in accordance with SP-01. The following aspects are considered as minimum: Capture threats to critical products and services; BCM-02 ¶ 1 Bullet 4] | Audits and risk management | Audits and Risk Management | |
| Assess the potential level of business impact risk associated with reputational damage. CC ID 15335 | Audits and risk management | Audits and Risk Management | |
| Assess the potential level of business impact risk associated with the natural environment. CC ID 17171 | Audits and risk management | Process or Activity | |
| Determine the effectiveness of risk control measures. CC ID 06601 [Identified vulnerabilities and deviations are subject to risk assessment in accordance with the risk management procedure (cf. OIS-06) and follow-up measures are defined and tracked (cf. OPS-18). COS-03 ¶ 3] | Audits and risk management | Testing | |
| Identify external requirements for customer access. CC ID 12736 | Technical security | Technical Security | |
| Validate proof of identity during the identity proofing process. CC ID 13756 | Technical security | Process or Activity | |
| Verify proof of identity records. CC ID 13761 [{competency} {integrity} To the extent permitted by law, the review will cover the following areas: Verification of the person through identity card; HR-01 ¶ 2 Bullet 1] | Technical security | Investigate | |
| Refrain from using knowledge-based authentication to verify an individual's identity against more than one proof of identity during the identity proofing process. CC ID 13784 | Technical security | Process or Activity | |
| Review user accounts. CC ID 00525 [A role and rights concept based on the business and security requirements of the Cloud Service Provider as well as a policy for managing user accounts and access rights for internal and external employees of the Cloud Service Provider and system components that have a role in automated authorisation processes of the Cloud Service Provider are documented, communicated and made available according to SP-01: Regular review of assigned user accounts and access rights; IDM-01 ¶ 1 Bullet 6] | Technical security | Technical Security | |
| Notify interested personnel when user accounts are added or deleted. CC ID 14327 | Technical security | Communicate | |
| Employ unique identifiers. CC ID 01273 [A role and rights concept based on the business and security requirements of the Cloud Service Provider as well as a policy for managing user accounts and access rights for internal and external employees of the Cloud Service Provider and system components that have a role in automated authorisation processes of the Cloud Service Provider are documented, communicated and made available according to SP-01: Assignment of unique usernames; IDM-01 ¶ 1 Bullet 1] | Technical security | Testing | |
| Place Intrusion Detection Systems and Intrusion Response Systems in network locations where they will be the most effective. CC ID 04589 [Based on the results of a risk analysis carried out according to OIS-06, the Cloud Service Provider has implemented technical safeguards which are suitable to promptly detect and respond to network-based attacks on the basis of irregular incoming or outgoing traffic patterns and/ or Distributed Denial of Service (DDoS) attacks. Data from corresponding technical protection measures implemented is fed into a comprehensive SIEM (Security Information and Event Management) system, so that (counter) measures regarding correlating events can be initiated. The safeguards are documented, communicated and provided in accordance with SP-01. COS-01 ¶ 1] | Technical security | Technical Security | |
| Use a passive asset inventory discovery tool to identify assets when network mapping. CC ID 13735 | Technical security | Process or Activity | |
| Use an active asset inventory discovery tool to identify sensitive information for data flow diagrams. CC ID 13737 | Technical security | Process or Activity | |
| Establish, implement, and maintain a sensitive information inventory. CC ID 13736 | Technical security | Establish/Maintain Documentation | |
| Configure network access and control points to organizational standards. CC ID 12442 [{alternate} The cloud service can be accessed by other cloud services or IT systems of cloud customers through documented inbound and outbound interfaces. Further, the interfaces are clearly documented for subject matter experts on how they can be used to retrieve the data. PI-01 ¶ 1 These authentication mechanisms are set up at all access points that allow users, IT components or applications to interact with the cloud service. PSS-05 ¶ 2] | Technical security | Configuration | |
| Monitor for evidence of when tampering indicators are being identified. CC ID 11905 | Physical and environmental protection | Monitor and Evaluate Occurrences | |
| Inspect for tampering, as necessary. CC ID 10640 [{power distributor} Protection of power supply and telecommunications lines against interruption, interference, damage and eavesdropping. The protection is checked regularly, but at least every two years, as well as in case of suspected manipulation by qualified personnel regarding the following aspects: Traces of violent attempts to open closed distributors; PS-06 ¶ 1(d) Bullet 1] | Physical and environmental protection | Monitor and Evaluate Occurrences | |
| Inspect telephones for eavesdropping devices. CC ID 02223 | Physical and environmental protection | Physical and Environmental Protection | |
| Detect anomalies in physical barriers. CC ID 13533 | Physical and environmental protection | Investigate | |
| Lock all lockable equipment cabinets. CC ID 11673 | Physical and environmental protection | Physical and Environmental Protection | |
| Monitor for unauthorized physical access at physical entry points and physical exit points. CC ID 01638 [The operating parameters of the technical utilities (cf. PS-06) and the environmental parameters of the premises and buildings related to the cloud service provided are monitored and controlled in accordance with the security requirements of the Cloud Service Provider (cf. PS-01 Security Concept). When the permitted control range is exceeded, the responsible departments of the Cloud-Provider are automatically informed in order to promptly initiate the necessary measures for return to the control range. PS-07 ¶ 1] | Physical and environmental protection | Monitor and Evaluate Occurrences | |
| Report anomalies in the visitor log to appropriate personnel. CC ID 14755 | Physical and environmental protection | Investigate | |
| Log when the cabinet is accessed. CC ID 11674 | Physical and environmental protection | Log Management | |
| Observe restricted areas with motion detectors or closed-circuit television systems. CC ID 01328 [{video surveillance camera} {burglar alarm} The security measures installed at the site include permanently present security personnel (at least 2 individuals), video surveillance and anti-burglary systems. PS-03 ¶ 5 {be insufficient} The security requirements for data centres are based on criteria which comply with established rules of technology. They are suitable for addressing the following risks in accordance with the applicable legal and contractual requirements: Insufficient surveillance; PS-01 ¶ 2 Bullet 3] | Physical and environmental protection | Monitor and Evaluate Occurrences | |
| Install and maintain an environment control monitoring system. CC ID 06370 [The environmental parameters are monitored. When the permitted control range is exceeded, alarm messages are generated and forwarded to the Cloud Service Provider's subject matter experts. PS-05 ¶ 2 The operating parameters of the technical utilities (cf. PS-06) and the environmental parameters of the premises and buildings related to the cloud service provided are monitored and controlled in accordance with the security requirements of the Cloud Service Provider (cf. PS-01 Security Concept). When the permitted control range is exceeded, the responsible departments of the Cloud-Provider are automatically informed in order to promptly initiate the necessary measures for return to the control range. PS-07 ¶ 1 {cooling system} For a self-sufficient operation during a heat period, the highest outside temperatures measured to date within a radius of at least 50 km around the locations of the premises and buildings have been determined with a safety margin of 3 K. The security requirements stipulate that the permissible operating and environmental parameters of the cooling supply must also be observed on at least five consecutive days with these outside temperatures including the safety margin (cf. PS-06 Protection against failure of the supply facilities). PS-01 ¶ 7 {duration} If water is taken from a river for air conditioning, it is determined at which water levels and water temperatures the air conditioning can be maintained for how long. PS-01 ¶ 8] | Physical and environmental protection | Monitor and Evaluate Occurrences | |
| Involve auditors in reviewing and testing the business continuity program. CC ID 13211 | Operational and Systems Continuity | Testing | |
| Evaluate the effectiveness of auditors reviewing and testing the business continuity program. CC ID 13212 | Operational and Systems Continuity | Investigate | |
| Evaluate the effectiveness of auditors reviewing and testing business continuity capabilities. CC ID 13218 | Operational and Systems Continuity | Investigate | |
| Include testing peak transaction volumes from alternate facilities in the business continuity testing strategy. CC ID 13265 | Operational and Systems Continuity | Testing | |
| Identify all stakeholders critical to the continuity of operations. CC ID 12741 | Operational and Systems Continuity | Systems Continuity | |
| Evaluate all possible continuity risks and impacts as a part of the continuity framework. CC ID 06374 [Exit strategies are aligned with operational continuity plans and include the following aspects: Analysis of the potential costs, impacts, resources and timing of the transition of a purchased service to an alternative service provider or supplier; SSO-05 ¶ 2 Bullet 1] | Operational and Systems Continuity | Systems Continuity | |
| Determine the cause for the activation of the recovery plan. CC ID 13291 | Operational and Systems Continuity | Investigate | |
| Test the recovery plan, as necessary. CC ID 13290 [Restore procedures are tested regularly, at least annually. The tests allow an assessment to be made as to whether the contractual agreements as well as the specifications for the maximum tolerable downtime (Recovery Time Objective, RTO) and the maximum permissible data loss (Recovery Point Objective, RPO) are adhered to (cf. BCM-02). OPS-08 ¶ 1] | Operational and Systems Continuity | Testing | |
| Test the backup information, as necessary. CC ID 13303 | Operational and Systems Continuity | Testing | |
| Document lessons learned from testing the recovery plan or an actual event. CC ID 13301 [Policies and instructions for data backup and recovery are documented, communicated and provided in accordance with SP-01 regarding the following aspects. Tests of recovery procedures (cf. OPS-08). OPS-06 ¶ 1 Bullet 4] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Identify telecommunication facilities critical to the continuity of operations. CC ID 12732 | Operational and Systems Continuity | Systems Continuity | |
| Review the beneficiaries of the insurance policy. CC ID 16563 | Operational and Systems Continuity | Business Processes | |
| Determine the adequacy of errors and omissions insurance in the organization's insurance policy. CC ID 13281 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Determine the adequacy of insurance coverage for items in transit in the organization's insurance policy. CC ID 13283 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Determine the adequacy of insurance coverage for employee fidelity in the organization's insurance policy. CC ID 13282 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Determine the adequacy of media reconstruction in the organization's insurance policy. CC ID 13277 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Test the continuity plan, as necessary. CC ID 00755 [{separate} The cloud service is provided from more than two locations that provide each other with redundancy. The locations are sufficiently far apart to achieve georedundancy. If two locations fail at the same time, at least one third location is still available to prevent a total service failure. The georedundancy is designed in a way that ensures that the availability requirements specified in the service level agreement are met. The functionality of the redundancy is checked at least annually by suitable tests and exercises (cf. BCM-04 – Verification, updating and testing of business continuity). PS-02 ¶ 2 Plan, implement, maintain and test procedures and measures for business continuity and emergency management. Section 5.14 Objective The business impact analysis, business continuity plans and contingency plans are reviewed, updated and tested on a regular basis (at least annually) or after significant organisational or environmental changes. Tests involve affected customers (tenants) and relevant third parties. The tests are documented and results are taken into account for future operational continuity measures. BCM-04 ¶ 1] | Operational and Systems Continuity | Testing | |
| Involve senior management, as necessary, when testing the continuity plan. CC ID 13793 | Operational and Systems Continuity | Testing | |
| Test the continuity plan at the alternate facility. CC ID 01174 | Operational and Systems Continuity | Testing | |
| Conduct full recovery and restoration of service testing for high impact systems at the alternate facility. CC ID 01404 [The cloud service is provided from two locations that are redundant to each other. The locations meet the security requirements of the Cloud Service Provider (cf. PS-01 Security Concept) and are located in an adequate distance to each other to achieve operational redundancy. Operational redundancy is designed in a way that ensures that the availability requirements specified in the service level agreement are met. The functionality of the redundancy is checked at least annually by suitable tests and exercises (cf. BCM-04 – Verification, updating and testing of business continuity). PS-02 ¶ 1] | Operational and Systems Continuity | Testing | |
| Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782 [The competency and integrity of all internal and external employees of the Cloud Service Provider with access to cloud customer data or system components under the Cloud Service Provider's responsibility who are responsible to provide the cloud service in the production environment shall be verified prior to commencement of employment in accordance with local legislation and regulation by the Cloud Service Provider. HR-01 ¶ 1] | Human Resources management | Testing | |
| Perform a background check during personnel screening. CC ID 11758 [{competency} {integrity} To the extent permitted by law, the review will cover the following areas: Evaluation of the risk to be blackmailed. HR-01 ¶ 2 Bullet 6] | Human Resources management | Human Resources Management | |
| Verify completion of each activity in the employee termination checklist when an individual is terminated. CC ID 12449 | Human Resources management | Human Resources Management | |
| Implement segregation of duties in roles and responsibilities. CC ID 00774 [Conflicting tasks and responsibilities are separated based on an OIS-06 risk assessment to reduce the risk of unauthorised or unintended changes or misuse of cloud customer data processed, stored or transmitted in the cloud service. OIS-04 ¶ 1 A role and rights concept based on the business and security requirements of the Cloud Service Provider as well as a policy for managing user accounts and access rights for internal and external employees of the Cloud Service Provider and system components that have a role in automated authorisation processes of the Cloud Service Provider are documented, communicated and made available according to SP-01: Segregation of duties between managing, approving and assigning user accounts and access rights; IDM-01 ¶ 1 Bullet 4] | Human Resources management | Testing | |
| Train personnel to recognize conditions of diseases or sicknesses, as necessary. CC ID 14383 | Human Resources management | Training | |
| Train personnel to identify and communicate symptoms of exposure to disease or sickness. CC ID 14385 | Human Resources management | Training | |
| Monitor and measure the effectiveness of security awareness. CC ID 06262 [{security awareness and training program} {quantitative factor} {qualitative factor} The learning outcomes achieved through the awareness and training programme are measured and evaluated in a target group-oriented manner. The measurements cover quantitative and qualitative aspects. The results are used to improve the awareness and training programme. HR-03 ¶ 2] | Human Resources management | Monitor and Evaluate Occurrences | |
| Monitor managing cloud services. CC ID 13150 [{technical safeguard} Technical and organisational safeguards for the monitoring and provisioning and de-provisioning of cloud services are defined. Thus, the Cloud Service Provider ensures that resources are provided and/or services are rendered according to the contractual agreements and that compliance with the service level agreements is ensured. OPS-02 ¶ 1 The Cloud Service Provider creates regular reports on the checks performed, which are reviewed and analysed by authorised bodies or committees. Policies and instructions describe the technical measures taken to securely configure and monitor the management console (both the customer's self-service and the service provider's cloud administration) to protect it from malware. Updates are applied at the highest frequency that the vendor(s) contractually offer(s). OPS-04 ¶ 2 The Cloud Service Provider has established policies and instructions that govern the logging and monitoring of events on system components within its area of responsibility. These policies and instructions are documented, communicated and provided according to SP-01 with respect to the following aspects: OPS-10 ¶ 1 Ensure the protection of information that service providers or suppliers of the Cloud Service Provider (subcontractors) can access and monitor the agreed services and security requirements. Section 5.12 Objective] | Operational management | Monitor and Evaluate Occurrences | |
| Perform social network analysis, as necessary. CC ID 14864 | Operational management | Investigate | |
| Confirm operating instructions were received by the interested personnel and affected parties. CC ID 17110 | Operational management | Communicate | |
| Confirm the requirements for the transmission of electricity with the affected parties. CC ID 17113 | Operational management | Behavior | |
| Determine the cost of the incident when assessing security incidents. CC ID 17188 | Operational management | Process or Activity | |
| Determine the duration of unscheduled downtime when assessing security incidents CC ID 17182 [Policies and instructions to determine the impact of any malfunction to the cloud service or enterprise are documented, communicated and made available in accordance with SP-01. The following aspects are considered as minimum: Determination of the maximum acceptable duration of malfunctions; BCM-02 ¶ 1 Bullet 6] | Operational management | Process or Activity | |
| Determine the duration of the incident when assessing security incidents. CC ID 17181 | Operational management | Process or Activity | |
| Require personnel to monitor for and report known or suspected compromise of assets. CC ID 16453 | Operational management | Monitor and Evaluate Occurrences | |
| Require personnel to monitor for and report suspicious account activity. CC ID 16462 | Operational management | Monitor and Evaluate Occurrences | |
| Respond to and triage when an incident is detected. CC ID 06942 [Identified violations and deviations are subjected to analysis, evaluation and treatment in accordance with the risk management procedure (cf. OIS-07). SSO-04 ¶ 4 Subject matter experts of the Cloud Service Provider, together with external security providers where appropriate, classify, prioritise and perform root-cause analyses for events that could constitute a security incident. SIM-02 ¶ 1 The Cloud Service Provider defines guidelines for the classification, prioritisation and escalation of security incidents and creates interfaces to the incident management and business continuity management. SIM-01 ¶ 2] | Operational management | Monitor and Evaluate Occurrences | |
| Analyze the incident response process following an incident response. CC ID 13179 [Internal audits are supplemented by procedures to automatically monitor applicable requirements of policies and instructions with regard to the following aspects: Response time to malfunctions and security incidents; COM-03 ¶ 3 Bullet 3] | Operational management | Investigate | |
| Avoid false positive incident response notifications. CC ID 04732 [{false positive} In addition, the Cloud Service Provider communicates that "false reports" of events that do not subsequently turn out to be incidents do not have any negative consequences. SIM-04 ¶ 2] | Operational management | Behavior | |
| Establish, implement, and maintain incident response procedures. CC ID 01206 [{acceptable use policy} Policies and instructions for acceptable use and safe handling of assets are documented, communicated and provided in accordance with SP-01 and address the following aspects of the asset lifecycle as applicable to the asset: dealing with incidents and vulnerabilities; and AM-02 ¶ 1 Bullet 11] | Operational management | Establish/Maintain Documentation | |
| Prepare digital forensic equipment. CC ID 08688 | Operational management | Investigate | |
| Follow all applicable laws and principles when collecting digital forensic evidence. CC ID 08672 [There are instructions as to how the data of a suspicious system can be collected in a conclusive manner in the event of a security incident. In addition, there are analysis plans for typical security incidents and an evaluation methodology so that the collected information does not lose its evidential value in any subsequent legal assessment. SIM-01 ¶ 5] | Operational management | Investigate | |
| Test the incident response procedures. CC ID 01216 [The Cloud Service Provider simulates the identification, analysis and defence of security incidents and attacks at least once a year through appropriate tests and exercises (e.g. Red Team training). SIM-02 ¶ 2] | Operational management | Testing | |
| Test proposed changes prior to their approval. CC ID 00548 [Changes to the cloud service are subject to appropriate testing during software development and deployment. DEV-06 ¶ 1 {change} The type and scope of the tests correspond to the risk assessment. The tests are carried out by appropriately qualified personnel of the Cloud Service Provider or by automated test procedures that comply with the state-of-the-art. Cloud customers are involved into the tests in accordance with the contractual requirements. DEV-06 ¶ 2] | Operational management | Testing | |
| Examine all changes to ensure they correspond with the change request. CC ID 12345 [{change} The type and scope of the tests correspond to the risk assessment. The tests are carried out by appropriately qualified personnel of the Cloud Service Provider or by automated test procedures that comply with the state-of-the-art. Cloud customers are involved into the tests in accordance with the contractual requirements. DEV-06 ¶ 2] | Operational management | Business Processes | |
| Conduct network certifications prior to approving change requests for networks. CC ID 13121 | Operational management | Process or Activity | |
| Analyze mitigating controls for vulnerabilities in the network when certifying the network. CC ID 13126 | Operational management | Investigate | |
| Collect data about the network environment when certifying the network. CC ID 13125 | Operational management | Investigate | |
| Establish, implement, and maintain a configuration change log. CC ID 08710 [{access rights management plan} System components and tools for source code management and software deployment that are used to make changes to system components of the cloud service in the production environment are subject to a role and rights concept according to IDM-01 and authorisation mechanisms. They must be configured in such a way that all changes are logged and can therefore be traced back to the individuals or system components executing them. DEV-07 ¶ 1] | Operational management | Configuration | |
| Configure the log to capture creates, reads, updates, or deletes of records containing personal data. CC ID 11890 [The cloud customer is informed by the Cloud Service Provider whenever internal or external employees of the Cloud Service Provider read or write to the cloud customer's data processed, stored or transmitted in the cloud service or have accessed it without the prior consent of the cloud customer. The Information is provided whenever data of the cloud customer is/was not encrypted, the encryption is/was disabled for access or the contractual agreements do not explicitly exclude such information. The information contains the cause, time, duration, type and scope of the access. The information is sufficiently detailed to enable subject matter experts of the cloud customer to assess the risks of the access. The information is provided in accordance with the contractual agreements, or within 72 hours after the access. IDM-07 ¶ 1] | System hardening through configuration management | Log Management | |
| Configure the log to capture all malicious code that has been discovered, quarantined, and/or eradicated. CC ID 00577 [The Cloud Service Provider creates regular reports on the checks performed, which are reviewed and analysed by authorised bodies or committees. Policies and instructions describe the technical measures taken to securely configure and monitor the management console (both the customer's self-service and the service provider's cloud administration) to protect it from malware. Updates are applied at the highest frequency that the vendor(s) contractually offer(s). OPS-04 ¶ 2] | System hardening through configuration management | Log Management | |
| Configure the log to capture actions taken by individuals with root privileges or administrative privileges and add logging option to the root file system. CC ID 00645 [Activities of users with privileged access rights are logged in order to detect any misuse of privileged access in suspicious cases. The logged information is automatically monitored for defined events that may indicate misuse. When such an event is identified, the responsible personnel are automatically informed so that they can promptly assess whether misuse has occurred and take corresponding action. In the event of proven misuse of privileged access rights, disciplinary measures are taken in accordance with HR-04. IDM-06 ¶ 3] | System hardening through configuration management | Log Management | |
| Configure security and protection software to check for up-to-date signature files. CC ID 00576 [The Cloud Service Provider creates regular reports on the checks performed, which are reviewed and analysed by authorised bodies or committees. Policies and instructions describe the technical measures taken to securely configure and monitor the management console (both the customer's self-service and the service provider's cloud administration) to protect it from malware. Updates are applied at the highest frequency that the vendor(s) contractually offer(s). OPS-04 ¶ 2] | System hardening through configuration management | Testing | |
| Audit the configuration of organizational assets, as necessary. CC ID 13653 [{be immutable} If non-modifiable ("immutable") images are used, compliance with the hardening specifications as defined in the hardening requirements is checked upon creation of the images. Configuration and log files regarding the continuous availability of the images are retained. OPS-23 ¶ 2 Internal audits are supplemented by procedures to automatically monitor applicable requirements of policies and instructions with regard to the following aspects: Configuration of system components to provide the cloud service within the Cloud Service Provider's area of responsibility; COM-03 ¶ 3 Bullet 1] | System hardening through configuration management | Audits and Risk Management | |
| Establish, implement, and maintain a data retention program. CC ID 00906 [Policies and instructions for data backup and recovery are documented, communicated and provided in accordance with SP-01 regarding the following aspects. The extent and frequency of data backups and the duration of data retention are consistent with the contractual agreements with the cloud customers and the Cloud Service Provider's operational continuity requirements for Recovery Time Objective (RTO) and Recovery Point Objective (RPO); OPS-06 ¶ 1 Bullet 1] | Records management | Establish/Maintain Documentation | |
| Establish, implement, and maintain data input and data access authorization tracking. CC ID 00920 [{security-related information} The information is detailed enough to allow cloud users to check the following aspects, insofar as they are applicable to the cloud service: Changes to security-relevant configuration parameters, error handling and logging mechanisms, user authentication, action authorisation, cryptography, and communication security. PSS-04 ¶ 2 Bullet 3] | Records management | Monitor and Evaluate Occurrences | |
| Capture the records required by organizational compliance requirements. CC ID 00912 | Records management | Records Management | |
| Establish, implement, and maintain output review and error handling checks with end users. CC ID 00929 [The type and scope of the information provided will be based on the needs of subject matter experts of the cloud customers who set information security requirements, implement them or verify the implementation (e.g. IT, Compliance, Internal Audit). The information in the guidelines and recommendations for the secure use of the cloud service address the following aspects, where applicable to the cloud service: Error handling and logging mechanisms; PSS-01 ¶ 2 Bullet 3 The cloud service provided is equipped with error handling and logging mechanisms. These enable cloud users to obtain security-related information about the security status of the cloud service as well as the data, services or functions it provides. PSS-04 ¶ 1] | Records management | Establish/Maintain Documentation | |
| Document the results of the source code analysis. CC ID 14310 | Systems design, build, and implementation | Process or Activity | |
| Restrict production data from being used in the test environment. CC ID 01103 [Production environments are physically or logically separated from test or development environments to prevent unauthorised access to cloud customer data, the spread of malware, or changes to system components. Data contained in the production environments is not used in test or development environments in order not to compromise their confidentiality. DEV-10 ¶ 1] | Systems design, build, and implementation | Testing | |
| Review and test custom code to identify potential coding vulnerabilities. CC ID 01316 [The procedures for identifying such vulnerabilities are part of the software development process and, depending on a risk assessment, include the following activities: Code reviews by the Cloud Service Provider's subject matter experts; and PSS-02 ¶ 2 Bullet 3 The procedures for identifying such vulnerabilities also include annual code reviews or security penetration tests by qualified external third parties. PSS-02 ¶ 4] | Systems design, build, and implementation | Testing | |
| Conduct a risk assessment to determine operational risks as a part of the acquisition feasibility study. CC ID 01135 [In procurement, products are preferred which have been certified according to the "Common Criteria for Information Technology Security Evaluation" (short: Common Criteria – CC) according Evaluation Assurance Level EAL 4. If non-certified products are to be procured for available certified products, a risk assessment is carried out in accordance with OIS-07. DEV-01 ¶ 3] | Acquisition or sale of facilities, technology, and services | Testing | |
| Test new software or upgraded software for security vulnerabilities. CC ID 01898 [The Cloud Service Provider applies appropriate measures to check the cloud service for vulnerabilities which might have been integrated into the cloud service during the software development process. PSS-02 ¶ 1 The procedures for identifying such vulnerabilities are part of the software development process and, depending on a risk assessment, include the following activities: Static Application Security Testing; PSS-02 ¶ 2 Bullet 1 The procedures for identifying such vulnerabilities are part of the software development process and, depending on a risk assessment, include the following activities: Dynamic Application Security Testing; PSS-02 ¶ 2 Bullet 2] | Acquisition or sale of facilities, technology, and services | Testing | |
| Include personal data that is for the state's economic interest as a reason for denial in the personal data request denial procedures. CC ID 00446 | Privacy protection for information and data | Data and Information Management | |
| Refrain from storing data elements containing payment card full magnetic stripe data. CC ID 04757 | Privacy protection for information and data | Testing | |
| Conduct personal data risk assessments. CC ID 00357 | Privacy protection for information and data | Testing | |
| Establish, implement, and maintain suspicious document procedures. CC ID 04852 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain suspicious personal data procedures. CC ID 04853 | Privacy protection for information and data | Data and Information Management | |
| Compare certain personal data such as name, date of birth, address, driver's license, or other identification against personal data on file for the applicant. CC ID 04855 | Privacy protection for information and data | Data and Information Management | |
| Establish, implement, and maintain suspicious user account activity procedures. CC ID 04854 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
| Perform an identity check prior to approving an account change request. CC ID 13670 | Privacy protection for information and data | Investigate | |
| Use the contact information on file to contact the individual identified in an account change request. CC ID 04857 | Privacy protection for information and data | Behavior | |
| Match consumer reports with current accounts on file to ensure account misuse or information misuse has not occurred. CC ID 04873 | Privacy protection for information and data | Data and Information Management | |
| Log account access dates and report when dormant accounts suddenly exhibit unusual activity. CC ID 04874 | Privacy protection for information and data | Log Management | |
| Log dates for account name changes or address changes. CC ID 04876 | Privacy protection for information and data | Log Management | |
| Review accounts that are changed for additional user requests. CC ID 11846 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
| Send change notices for change of address requests to the old address and the new address. CC ID 04877 | Privacy protection for information and data | Data and Information Management | |
| Search the Internet for evidence of data leakage. CC ID 10419 | Privacy protection for information and data | Process or Activity | |
| Review monitored websites for data leakage. CC ID 10593 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
| Conduct internal data processing audits. CC ID 00374 | Privacy protection for information and data | Testing | |
| Investigate privacy rights violation complaints. CC ID 00480 | Privacy protection for information and data | Behavior | |
| Notify respondents after a privacy rights violation complaint investigation begins. CC ID 00491 [{investigation request} The Cloud Service Provider informs the affected Cloud Customer(s) without undue delay, unless the applicable legal basis on which the government agency is based prohibits this or there are clear indications of illegal actions in connection with the use of the Cloud Service. INQ-02 ¶ 1] | Privacy protection for information and data | Behavior | |
| Make appropriate inquiries and obtain appropriate information regarding privacy rights violation complaints. CC ID 00493 [Investigation requests from government agencies are subjected to a legal assessment by subject matter experts of the Cloud Service Provider. The assessment determines whether the government agency has an applicable and legally valid legal basis and what further steps need to be taken. INQ-01 ¶ 1 Investigation requests from government agencies are subjected to a legal assessment by subject matter experts of the Cloud Service Provider. The assessment determines whether the government agency has an applicable and legally valid legal basis and what further steps need to be taken. INQ-01 ¶ 1] | Privacy protection for information and data | Behavior | |
| Record restricted data correctly. CC ID 00089 | Privacy protection for information and data | Testing | |
| Compare the photograph on the customer's identification card or badge with the customer's physical appearance. CC ID 04861 | Privacy protection for information and data | Testing | |
| Check the consistency of the applicant's personal data against personal data already on file. CC ID 04870 | Privacy protection for information and data | Data and Information Management | |
| Ask the applicant challenge questions and verify they respond correctly. CC ID 04871 | Privacy protection for information and data | Behavior | |
| Compare new account information with fraudulent account activity notifications or identity theft notifications. CC ID 04872 | Privacy protection for information and data | Data and Information Management | |
| Authenticate a user's identity prior to transferring funds requested by a customer. CC ID 12972 | Privacy protection for information and data | Business Processes | |
| Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 [{nondisclosure agreement} The requirements must be documented and reviewed at regular intervals (at least annually). If the review shows that the requirements need to be adapted, the non-disclosure or confidentiality agreements are updated. HR-06 ¶ 3 The agreements are to be accepted by external service providers and suppliers when the contract is agreed. The agreements must be accepted by internal employees of the Cloud Service Provider before authorisation to access data of cloud customers is granted. HR-06 ¶ 2] | Third Party and supply chain oversight | Process or Activity | |
| Include a termination provision clause in third party contracts. CC ID 01367 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include third party acknowledgment of their data protection responsibilities in third party contracts. CC ID 01364 [Policies and instructions for controlling and monitoring third parties (e.g. service providers or suppliers) whose services contribute to the provision of the cloud service are documented, communicated and provided in accordance with SP-01 with respect to the following aspects: Information security requirements for the processing, storage or transmission of information by third parties based on recognised industry standards; SSO-01 ¶ 1 Bullet 3] | Third Party and supply chain oversight | Testing | |
| Include auditing third party security controls and compliance controls in third party contracts. CC ID 01366 [{independent audit report} {internal control system} The reports include the complementary subservice organisations that are required, together with the controls of the Cloud Service Provider, to meet the applicable basic criteria of BSI C5 with reasonable assurance. SSO-01 ¶ 3] | Third Party and supply chain oversight | Testing | |
| Review third party recovery plans. CC ID 17123 | Third Party and supply chain oversight | Systems Continuity | |
| Document supply chain dependencies in the supply chain management program. CC ID 08900 [Interfaces and dependencies between cloud service delivery activities performed by the Cloud Service Provider and activities performed by third parties are documented and communicated. This includes dealing with the following events: OIS-03 ¶ 1 Policies and instructions to determine the impact of any malfunction to the cloud service or enterprise are documented, communicated and made available in accordance with SP-01. The following aspects are considered as minimum: Identify dependencies, including processes (including resources required), applications, business partners and third parties; BCM-02 ¶ 1 Bullet 3] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Document all chargeable items in Service Level Agreements. CC ID 00844 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Perform risk assessments of third parties, as necessary. CC ID 06454 [Service providers and suppliers of the Cloud Service Provider undergo a risk assessment in accordance with the policies and instructions for the control and monitoring of third parties prior to contributing to the delivery of the cloud service. The adequacy of the risk assessment is reviewed regularly, at least annually, by qualified personnel of the Cloud Service Provider during service usage. SSO-02 ¶ 1 The frequency of the monitoring corresponds to the classification of the third party based on the risk assessment conducted by the Cloud Service Provider (cf. SSO-02). The results of the monitoring are included in the review of the third party's risk assessment. SSO-04 ¶ 3] | Third Party and supply chain oversight | Testing | |
| Re-evaluate risk assessments of third parties, as necessary. CC ID 12158 [Service providers and suppliers of the Cloud Service Provider undergo a risk assessment in accordance with the policies and instructions for the control and monitoring of third parties prior to contributing to the delivery of the cloud service. The adequacy of the risk assessment is reviewed regularly, at least annually, by qualified personnel of the Cloud Service Provider during service usage. SSO-02 ¶ 1] | Third Party and supply chain oversight | Audits and Risk Management | |
| Assess third parties' compliance environment during due diligence. CC ID 13134 | Third Party and supply chain oversight | Process or Activity | |
| Request attestation of compliance from third parties. CC ID 12067 [The Cloud Service Provider maintains a directory for controlling and monitoring the service providers and suppliers who contribute services to the delivery of the cloud service. The following information is maintained in the directory: Proof of compliance with contractually agreed requirements. SSO-03 ¶ 1 Bullet 9 Monitoring includes a regular review of the following evidence to the extent that such evidence is to be provided by third parties in accordance with the contractual agreements: SSO-04 ¶ 2] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Assess the effectiveness of third party services provided to the organization. CC ID 13142 | Third Party and supply chain oversight | Business Processes | |
| Monitor third parties for performance and effectiveness, as necessary. CC ID 00799 [Monitoring includes a regular review of the following evidence to the extent that such evidence is to be provided by third parties in accordance with the contractual agreements: reports on the quality of the service provided; SSO-04 ¶ 2 Bullet 1 The frequency of the monitoring corresponds to the classification of the third party based on the risk assessment conducted by the Cloud Service Provider (cf. SSO-02). The results of the monitoring are included in the review of the third party's risk assessment. SSO-04 ¶ 3] | Third Party and supply chain oversight | Monitor and Evaluate Occurrences | |
| Monitor third parties' financial conditions. CC ID 13170 | Third Party and supply chain oversight | Monitor and Evaluate Occurrences | |
IT Impact Zone | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Leadership and high level objectives CC ID 00597 | Leadership and high level objectives | IT Impact Zone | |
| Monitoring and measurement CC ID 00636 | Monitoring and measurement | IT Impact Zone | |
| Audits and risk management CC ID 00677 | Audits and risk management | IT Impact Zone | |
| Technical security CC ID 00508 | Technical security | IT Impact Zone | |
| Physical and environmental protection CC ID 00709 | Physical and environmental protection | IT Impact Zone | |
| Operational and Systems Continuity CC ID 00731 | Operational and Systems Continuity | IT Impact Zone | |
| Human Resources management CC ID 00763 | Human Resources management | IT Impact Zone | |
| Operational management CC ID 00805 | Operational management | IT Impact Zone | |
| System hardening through configuration management CC ID 00860 | System hardening through configuration management | IT Impact Zone | |
| Records management CC ID 00902 | Records management | IT Impact Zone | |
| Systems design, build, and implementation CC ID 00989 | Systems design, build, and implementation | IT Impact Zone | |
| Acquisition or sale of facilities, technology, and services CC ID 01123 | Acquisition or sale of facilities, technology, and services | IT Impact Zone | |
| Privacy protection for information and data CC ID 00008 | Privacy protection for information and data | IT Impact Zone | |
| Harmonization Methods and Manual of Style CC ID 06095 | Harmonization Methods and Manual of Style | IT Impact Zone | |
| Third Party and supply chain oversight CC ID 08807 | Third Party and supply chain oversight | IT Impact Zone | |
Preventive | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Establish, implement, and maintain communication protocols. CC ID 12245 [Communication takes place through standardised communication protocols that ensure the confidentiality and integrity of the transmitted information according to its protection requirements. Communication over untrusted networks is encrypted according to CRY-02. PI-01 ¶ 2] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain an alternative communication protocol. CC ID 17097 | Leadership and high level objectives | Communicate | |
| Use secure communication protocols for telecommunications. CC ID 16458 | Leadership and high level objectives | Business Processes | |
| Establish, implement, and maintain a corrective action plan to address barriers to stakeholder engagement. CC ID 15677 | Leadership and high level objectives | Process or Activity | |
| Identify barriers to stakeholder engagement. CC ID 15676 | Leadership and high level objectives | Process or Activity | |
| Identify alternative measures for collecting stakeholder input, as necessary. CC ID 15672 | Leadership and high level objectives | Communicate | |
| Document the findings from surveys. CC ID 16309 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain alert procedures. CC ID 12406 [The environmental parameters are monitored. When the permitted control range is exceeded, alarm messages are generated and forwarded to the Cloud Service Provider's subject matter experts. PS-05 ¶ 2] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the criteria for notifications in the notification system. CC ID 17139 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the capturing and alerting of account activity in the notification system. CC ID 15314 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
| Analyze organizational objectives, functions, and activities. CC ID 00598 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
| Establish, implement, and maintain data governance and management practices. CC ID 14998 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include data monitoring in the data governance and management practices. CC ID 15303 [The execution of data backups is monitored by technical and organisational measures. Malfunctions are investigated by qualified staff and rectified promptly to ensure compliance with contractual obligations to cloud customers or the Cloud Service Provider's business requirements regarding the scope and frequency of data backup and the duration of storage. OPS-07 ¶ 1] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain sustainable infrastructure planning. CC ID 00603 [The security requirements for data centres are based on criteria which comply with established rules of technology. They are suitable for addressing the following risks in accordance with the applicable legal and contractual requirements: Faults in planning; PS-01 ¶ 2 Bullet 1] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 [The Cloud Service Provider operates an information security management system (ISMS) in accordance with ISO/IEC 27001. The scope of the ISMS covers the Cloud Service Provider's organisational units, locations and procedures for providing the cloud service. OIS-01 ¶ 1] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Define the scope of the security policy. CC ID 07145 [The measures for setting up, implementing, maintaining and continuously improving the ISMS are documented. The documentation includes: Scope of the ISMS (Section 4.3 of ISO/IEC 27001); OIS-01 ¶ 2 Bullet 1 {security requirements} The policies and instructions describe at least the following aspects: Scope; SP-01 ¶ 3 Bullet 2] | Leadership and high level objectives | Data and Information Management | |
| Identify roles, tasks, information, systems, and assets that fall under the organization's mandated Authority Documents. CC ID 00688 [Identify the organisation's own assets and ensure an appropriate level of protection throughout their lifecycle. Section 5.4 Objective] | Leadership and high level objectives | Business Processes | |
| Establish, implement, and maintain a policy and procedure management program. CC ID 06285 [Protection of power supply and telecommunications lines against interruption, interference, damage and eavesdropping. The protection is checked regularly, but at least every two years, as well as in case of suspected manipulation by qualified personnel regarding the following aspects: Up-to-datedness of the documentation in the distribution list; PS-06 ¶ 1(d) Bullet 2] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include contact information in the organization's policies, standards, and procedures. CC ID 17167 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Assess the impact of changes to organizational policies, standards, and procedures, as necessary. CC ID 14824 [Policies and instructions to determine the impact of any malfunction to the cloud service or enterprise are documented, communicated and made available in accordance with SP-01. The following aspects are considered as minimum: Identification of effects resulting from planned and unplanned malfunctions and changes over time; BCM-02 ¶ 1 Bullet 5] | Leadership and high level objectives | Business Processes | |
| Establish and maintain an Authority Document list. CC ID 07113 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Document organizational procedures that harmonize external requirements, including all legal requirements. CC ID 00623 [{provision} {data} The design of the aspects is based on legal and regulatory requirements in the environment of the Cloud Service Provider. The Cloud Service Provider identifies the requirements regularly, at least once a year, and checks these for actuality and adjusts the contractual agreements accordingly. PI-02 ¶ 3 {provision} {data} The design of the aspects is based on legal and regulatory requirements in the environment of the Cloud Service Provider. The Cloud Service Provider identifies the requirements regularly, at least once a year, and checks these for actuality and adjusts the contractual agreements accordingly. PI-02 ¶ 3 {applicable requirements} The legal, regulatory, self-imposed and contractual requirements relevant to the information security of the cloud service as well as the Cloud Service Provider's procedures for complying with these requirements are explicitly defined and documented. COM-01 ¶ 1] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Publish, disseminate, and communicate a Statement on Internal Control, as necessary. CC ID 06727 [The measures for setting up, implementing, maintaining and continuously improving the ISMS are documented. The documentation includes: Declaration of applicability (Section 6.1.3), and OIS-01 ¶ 2 Bullet 2] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include signatures of c-level executives in the Statement on Internal Control. CC ID 14778 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include roles and responsibilities in the Statement on Internal Control. CC ID 14774 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include limitations of internal control systems in the Statement on Internal Control. CC ID 14773 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include a description of the methodology used to evaluate internal controls in the Statement on Internal Control. CC ID 14772 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Approve all compliance documents. CC ID 06286 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain a compliance exception standard. CC ID 01628 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the authority for granting exemptions in the compliance exception standard. CC ID 14329 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document. CC ID 01631 [Exceptions to the policies and instructions for information security as well as respective controls go through the OIS-06 risk management process, including approval of these exceptions and acceptance of the associated risks by the risk owners. The approvals of exceptions are documented, limited in time and are reviewed for appropriateness at least annually by the risk owners. SP-03 ¶ 1 Exceptions to the policies and instructions for information security as well as respective controls go through the OIS-06 risk management process, including approval of these exceptions and acceptance of the associated risks by the risk owners. The approvals of exceptions are documented, limited in time and are reviewed for appropriateness at least annually by the risk owners. SP-03 ¶ 1] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Review the compliance exceptions in the exceptions document, as necessary. CC ID 01632 [Exceptions to the policies and instructions for information security as well as respective controls go through the OIS-06 risk management process, including approval of these exceptions and acceptance of the associated risks by the risk owners. The approvals of exceptions are documented, limited in time and are reviewed for appropriateness at least annually by the risk owners. SP-03 ¶ 1 Exceptions to the policies and instructions for information security as well as respective controls go through the OIS-06 risk management process, including approval of these exceptions and acceptance of the associated risks by the risk owners. The approvals of exceptions are documented, limited in time and are reviewed for appropriateness at least annually by the risk owners. SP-03 ¶ 1] | Leadership and high level objectives | Business Processes | |
| Include when exemptions expire in the compliance exception standard. CC ID 14330 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Assign the approval of compliance exceptions to the appropriate roles inside the organization. CC ID 06443 [Exceptions to the policies and instructions for information security as well as respective controls go through the OIS-06 risk management process, including approval of these exceptions and acceptance of the associated risks by the risk owners. The approvals of exceptions are documented, limited in time and are reviewed for appropriateness at least annually by the risk owners. SP-03 ¶ 1] | Leadership and high level objectives | Establish Roles | |
| Include management of the exemption register in the compliance exception standard. CC ID 14328 [Exceptions to the policies and instructions for information security as well as respective controls go through the OIS-06 risk management process, including approval of these exceptions and acceptance of the associated risks by the risk owners. The approvals of exceptions are documented, limited in time and are reviewed for appropriateness at least annually by the risk owners. SP-03 ¶ 1] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Disseminate and communicate compliance exceptions to interested personnel and affected parties. CC ID 16945 | Leadership and high level objectives | Communicate | |
| Establish, implement, and maintain a public oversight system. CC ID 17284 | Leadership and high level objectives | Business Processes | |
| Establish, implement, and maintain an oversight plan. CC ID 17302 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Disseminate and communicate the oversight plan to interested personnel and affected parties. CC ID 17308 | Leadership and high level objectives | Communicate | |
| Establish, implement, and maintain an oversight team. CC ID 17303 | Leadership and high level objectives | Process or Activity | |
| Include roles and responsibilities in the public oversight system. CC ID 17285 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Define the strategic Information Assurance roles and responsibilities. CC ID 00608 | Leadership and high level objectives | Establish Roles | |
| Include recommendations for changes or updates to the information security program in the Board Report. CC ID 13180 [{information security policy} The review shall consider at least the following aspects: Organisational and technical changes in the procedures for providing the cloud service; and SP-02 ¶ 2 Bullet 1] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Involve the Board of Directors or senior management in Information Governance. CC ID 00609 [The top management of the Cloud Service Provider is regularly informed about the information security performance within the scope of the ISMS in order to ensure its continued suitability, adequacy and effectiveness. The information is included in the management review of the ISMS at is performed at least once a year. COM-04 ¶ 1] | Leadership and high level objectives | Establish Roles | |
| Establish, implement, and maintain a strategic plan. CC ID 12784 [Provide policies and instructions regarding security requirements and to support business requirements. Section 5.2 Objective] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Disseminate and communicate the strategic plan to all interested personnel and affected parties. CC ID 15592 | Leadership and high level objectives | Communicate | |
| Include the outsource partners in the strategic plan, as necessary. CC ID 13960 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Align the cybersecurity program strategy with the organization's strategic plan. CC ID 14322 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain a planning policy. CC ID 14673 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain planning procedures. CC ID 14698 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Disseminate and communicate the planning procedures to interested personnel and affected parties. CC ID 14704 | Leadership and high level objectives | Communicate | |
| Disseminate and communicate the planning policy to interested personnel and affected parties. CC ID 14691 | Leadership and high level objectives | Communicate | |
| Include compliance requirements in the planning policy. CC ID 14688 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include coordination amongst entities in the planning policy. CC ID 14687 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include management commitment in the planning policy. CC ID 14686 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include roles and responsibilities in the planning policy. CC ID 14685 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the scope in the planning policy. CC ID 14684 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the purpose in the planning policy. CC ID 14683 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain a security planning policy. CC ID 14027 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include compliance requirements in the security planning policy. CC ID 14131 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include coordination amongst entities in the security planning policy. CC ID 14130 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include management commitment in the security planning policy. CC ID 14129 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include roles and responsibilities in the security planning policy. CC ID 14128 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the scope in the security planning policy. CC ID 14127 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the purpose in the security planning policy. CC ID 14126 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Disseminate and communicate the security planning policy to interested personnel and affected parties. CC ID 14125 | Leadership and high level objectives | Communicate | |
| Establish, implement, and maintain security planning procedures. CC ID 14060 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Disseminate and communicate the security planning procedures to interested personnel and affected parties. CC ID 14135 | Leadership and high level objectives | Communicate | |
| Align the reporting methodology with the decision management strategy. CC ID 15659 | Leadership and high level objectives | Business Processes | |
| Include an economic impact analysis in the decision management strategy. CC ID 14015 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include cost benefit analysis in the decision management strategy. CC ID 14014 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Disseminate and communicate the decision management strategy to all interested personnel and affected parties. CC ID 13991 | Leadership and high level objectives | Communicate | |
| Establish, implement, and maintain a tactical plan. CC ID 12785 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the references to the organization's Information Technology systems in the Strategic Information Technology Plan, as necessary. CC ID 13959 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain Information Technology project plans. CC ID 16944 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Submit closure reports at the conclusion of each information technology project. CC ID 16948 | Leadership and high level objectives | Actionable Reports or Measurements | |
| Review and approve the closure report. CC ID 16947 | Leadership and high level objectives | Actionable Reports or Measurements | |
| Establish, implement, and maintain Security Control System monitoring and reporting procedures. CC ID 12506 [The Cloud Service Provider creates regular reports on the checks performed, which are reviewed and analysed by authorised bodies or committees. Policies and instructions describe the technical measures taken to securely configure and monitor the management console (both the customer's self-service and the service provider's cloud administration) to protect it from malware. Updates are applied at the highest frequency that the vendor(s) contractually offer(s). OPS-04 ¶ 2] | Monitoring and measurement | Establish/Maintain Documentation | |
| Include detecting and reporting the failure of a security testing tool in the Security Control System monitoring and reporting procedures. CC ID 15488 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain Responding to Failures in Security Controls procedures. CC ID 12514 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include resuming security system monitoring and logging operations in the Responding to Failures in Security Controls procedure. CC ID 12521 [The system components for logging and monitoring are designed in such a way that the overall functionality is not restricted if individual components fail. OPS-17 ¶ 2] | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain an audit and accountability policy. CC ID 14035 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include compliance requirements in the audit and accountability policy. CC ID 14103 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include coordination amongst entities in the audit and accountability policy. CC ID 14102 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the purpose in the audit and accountability policy. CC ID 14100 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include roles and responsibilities in the audit and accountability policy. CC ID 14098 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include management commitment in the audit and accountability policy. CC ID 14097 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the scope in the audit and accountability policy. CC ID 14096 | Monitoring and measurement | Establish/Maintain Documentation | |
| Disseminate and communicate the audit and accountability policy to interested personnel and affected parties. CC ID 14095 | Monitoring and measurement | Communicate | |
| Establish, implement, and maintain audit and accountability procedures. CC ID 14057 | Monitoring and measurement | Establish/Maintain Documentation | |
| Disseminate and communicate the audit and accountability procedures to interested personnel and affected parties. CC ID 14137 | Monitoring and measurement | Communicate | |
| Enable monitoring and logging operations on all assets that meet the organizational criteria to maintain event logs. CC ID 06312 [Ensure proper and regular operation, including appropriate measures for planning and monitoring capacity, protection against malware, logging and monitoring events, and dealing with vulnerabilities, malfunctions and failures. Section 5.6 Objective Depending on the capabilities of the respective service model, the cloud customer can control and monitor the allocation of the system resources assigned to the customer for administration/use in order to avoid overcrowding of resources and to achieve sufficient performance. OPS-03 ¶ 1 {security-related information} The information is detailed enough to allow cloud users to check the following aspects, insofar as they are applicable to the cloud service: Malfunctions during processing of automatic or manual actions; and PSS-04 ¶ 2 Bullet 2 If the cloud customer is responsible for the activation or type and scope of logging, the Cloud Service Provider must provide appropriate logging capabilities. PSS-04 ¶ 4] | Monitoring and measurement | Log Management | |
| Review and approve the use of continuous security management systems. CC ID 13181 | Monitoring and measurement | Process or Activity | |
| Establish, implement, and maintain an intrusion detection and prevention program. CC ID 15211 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain an intrusion detection and prevention policy. CC ID 15169 | Monitoring and measurement | Establish/Maintain Documentation | |
| Prohibit the sale or transfer of a debt caused by identity theft. CC ID 16983 | Monitoring and measurement | Acquisition/Sale of Assets or Services | |
| Define and assign log management roles and responsibilities. CC ID 06311 [The Cloud Service Provider has established policies and instructions that govern the logging and monitoring of events on system components within its area of responsibility. These policies and instructions are documented, communicated and provided according to SP-01 with respect to the following aspects: Define roles and responsibilities for setting up and monitoring logging; OPS-10 ¶ 1 Bullet 4] | Monitoring and measurement | Establish Roles | |
| Make logs available for review by the owning entity. CC ID 12046 [The relevant logs or summarised results are available to the cloud customer in a self-service portal for monitoring the data backup. OPS-07 ¶ 2 On request of the cloud customer, the Cloud Service Provider provides the logs relating to the cloud customer in an appropriate form and in a timely manner so that the cloud customer can investigate any incidents relating to them. OPS-15 ¶ 3 Cloud users can retrieve security-related information via documented interfaces which are suitable for further processing this information as part of their Security Information and Event Management (SIEM). PSS-04 ¶ 5] | Monitoring and measurement | Log Management | |
| Establish, implement, and maintain an event logging policy. CC ID 15217 [The Cloud Service Provider has established policies and instructions that govern the logging and monitoring of events on system components within its area of responsibility. These policies and instructions are documented, communicated and provided according to SP-01 with respect to the following aspects: OPS-10 ¶ 1] | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the system components that generate audit records in the event logging procedures. CC ID 16426 | Monitoring and measurement | Data and Information Management | |
| Overwrite the oldest records when audit logging fails. CC ID 14308 | Monitoring and measurement | Data and Information Management | |
| Include identity information of suspects in the suspicious activity report. CC ID 16648 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain log analysis tools. CC ID 17056 | Monitoring and measurement | Technical Security | |
| Enable the logging capability to capture enough information to ensure the system is functioning according to its intended purpose throughout its life cycle. CC ID 15001 | Monitoring and measurement | Configuration | |
| Synchronize system clocks to an accurate and universal time source on all devices. CC ID 01340 [The Cloud Service Provider has established policies and instructions that govern the logging and monitoring of events on system components within its area of responsibility. These policies and instructions are documented, communicated and provided according to SP-01 with respect to the following aspects: Time synchronisation of system components; and OPS-10 ¶ 1 Bullet 5] | Monitoring and measurement | Configuration | |
| Review and update the list of auditable events in the event logging procedures. CC ID 10097 [{security-related information} The information is detailed enough to allow cloud users to check the following aspects, insofar as they are applicable to the cloud service: Which data, services or functions available to the cloud user within the cloud service, have been accessed by whom and when (Audit Logs); PSS-04 ¶ 2 Bullet 1] | Monitoring and measurement | Establish/Maintain Documentation | |
| Disseminate and communicate monitoring capabilities with interested personnel and affected parties. CC ID 13156 [The Cloud Service Provider has established policies and instructions that govern the logging and monitoring of events on system components within its area of responsibility. These policies and instructions are documented, communicated and provided according to SP-01 with respect to the following aspects: OPS-10 ¶ 1 The Cloud Service Provider has established policies and instructions that govern the logging and monitoring of events on system components within its area of responsibility. These policies and instructions are documented, communicated and provided according to SP-01 with respect to the following aspects: OPS-10 ¶ 1 The Cloud Service Provider has established policies and instructions that govern the logging and monitoring of events on system components within its area of responsibility. These policies and instructions are documented, communicated and provided according to SP-01 with respect to the following aspects: Information regarding the purpose and retention period of the logs; OPS-10 ¶ 1 Bullet 3 Cloud customers can view compliance with selected contractual requirements in real time. COM-03 ¶ 5] | Monitoring and measurement | Communicate | |
| Establish, implement, and maintain network monitoring operations. CC ID 16444 [{risk assess} The entirety of the conception and configuration undertaken to monitor the connections mentioned is assessed in a risk-oriented manner, at least annually, with regard to the resulting security requirements. COS-03 ¶ 2] | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Monitor for software configurations updates absent authorization. CC ID 10676 [{malware} The configuration of the protection mechanisms is monitored automatically. Deviations from the specifications are automatically reported to the subject matter experts so that the deviations are immediately assessed and the necessary measures taken. OPS-05 ¶ 2] | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Create specific test plans to test each system component. CC ID 00661 [Policies and instructions with technical and organisational safeguards for change management of system components of the cloud service within the scope of software deployment are documented, communicated and provided according to SP-01 with regard to the following aspects: Requirements for the performance and documentation of tests; DEV-03 ¶ 1 Bullet 2 Policies and instructions with technical and organisational safeguards for change management of system components of the cloud service within the scope of software deployment are documented, communicated and provided according to SP-01 with regard to the following aspects: Criteria for risk assessment, categorisation and prioritisation of changes and related requirements for the type and scope of testing to be performed, and necessary approvals for the development/implementation of the change and releases for deployment in the production environment by authorised personnel or system components; DEV-03 ¶ 1 Bullet 1] | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the roles and responsibilities in the test plan. CC ID 14299 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the assessment team in the test plan. CC ID 14297 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the scope in the test plans. CC ID 14293 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the assessment environment in the test plan. CC ID 14271 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a testing program. CC ID 00654 [Policies and instructions with technical and organisational safeguards for change management of system components of the cloud service within the scope of software deployment are documented, communicated and provided according to SP-01 with regard to the following aspects: Requirements for the performance and documentation of tests; DEV-03 ¶ 1 Bullet 2 The business impact analysis, business continuity plans and contingency plans are reviewed, updated and tested on a regular basis (at least annually) or after significant organisational or environmental changes. Tests involve affected customers (tenants) and relevant third parties. The tests are documented and results are taken into account for future operational continuity measures. BCM-04 ¶ 1] | Monitoring and measurement | Behavior | |
| Establish, implement, and maintain a security assessment and authorization policy. CC ID 14031 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include coordination amongst entities in the security assessment and authorization policy. CC ID 14222 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the scope in the security assessment and authorization policy. CC ID 14220 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the purpose in the security assessment and authorization policy. CC ID 14219 | Monitoring and measurement | Establish/Maintain Documentation | |
| Disseminate and communicate the security assessment and authorization policy to interested personnel and affected parties. CC ID 14218 | Monitoring and measurement | Communicate | |
| Include management commitment in the security assessment and authorization policy. CC ID 14189 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include compliance requirements in the security assessment and authorization policy. CC ID 14183 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include roles and responsibilities in the security assessment and authorization policy. CC ID 14179 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain security assessment and authorization procedures. CC ID 14056 | Monitoring and measurement | Establish/Maintain Documentation | |
| Disseminate and communicate security assessment and authorization procedures to interested personnel and affected parties. CC ID 14224 | Monitoring and measurement | Communicate | |
| Employ third parties to carry out testing programs, as necessary. CC ID 13178 | Monitoring and measurement | Human Resources Management | |
| Enable security controls which were disabled to conduct testing. CC ID 17031 | Monitoring and measurement | Testing | |
| Document improvement actions based on test results and exercises. CC ID 16840 | Monitoring and measurement | Establish/Maintain Documentation | |
| Disable dedicated accounts after testing is complete. CC ID 17033 | Monitoring and measurement | Testing | |
| Protect systems and data during testing in the production environment. CC ID 17198 | Monitoring and measurement | Testing | |
| Delete personal data upon data subject's withdrawal from testing. CC ID 17238 | Monitoring and measurement | Data and Information Management | |
| Define the criteria to conduct testing in the production environment. CC ID 17197 | Monitoring and measurement | Testing | |
| Obtain the data subject's consent to participate in testing in real-world conditions. CC ID 17232 | Monitoring and measurement | Behavior | |
| Suspend testing in a production environment, as necessary. CC ID 17231 | Monitoring and measurement | Testing | |
| Define the test requirements for each testing program. CC ID 13177 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include test requirements for the use of production data in the testing program. CC ID 17201 | Monitoring and measurement | Testing | |
| Include test requirements for the use of human subjects in the testing program. CC ID 16222 | Monitoring and measurement | Testing | |
| Test the in scope system in accordance with its intended purpose. CC ID 14961 | Monitoring and measurement | Testing | |
| Perform network testing in accordance with organizational standards. CC ID 16448 | Monitoring and measurement | Testing | |
| Notify interested personnel and affected parties prior to performing testing. CC ID 17034 | Monitoring and measurement | Communicate | |
| Test user accounts in accordance with organizational standards. CC ID 16421 | Monitoring and measurement | Testing | |
| Include mechanisms for emergency stops in the testing program. CC ID 14398 | Monitoring and measurement | Establish/Maintain Documentation | |
| Deny network access to rogue devices until network access approval has been received. CC ID 11852 [The security measures are designed to detect and prevent unauthorised access so that the information security of the cloud service is not compromised. PS-03 ¶ 2] | Monitoring and measurement | Configuration | |
| Establish, implement, and maintain conformity assessment procedures. CC ID 15032 | Monitoring and measurement | Establish/Maintain Documentation | |
| Share conformity assessment results with affected parties and interested personnel. CC ID 15113 | Monitoring and measurement | Communicate | |
| Notify affected parties and interested personnel of technical documentation assessment certificates that have been issued. CC ID 15112 | Monitoring and measurement | Communicate | |
| Notify affected parties and interested personnel of technical documentation assessment certificates that have been refused, withdrawn, suspended or restricted. CC ID 15111 | Monitoring and measurement | Communicate | |
| Create technical documentation assessment certificates in an official language. CC ID 15110 | Monitoring and measurement | Establish/Maintain Documentation | |
| Request an extension of the validity period of technical documentation assessment certificates, as necessary. CC ID 17228 | Monitoring and measurement | Process or Activity | |
| Define the validity period for technical documentation assessment certificates. CC ID 17227 | Monitoring and measurement | Process or Activity | |
| Opt out of third party conformity assessments when the system meets harmonized standards. CC ID 15096 | Monitoring and measurement | Testing | |
| Define the test frequency for each testing program. CC ID 13176 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a stress test program for identification cards or badges. CC ID 15424 | Monitoring and measurement | Establish/Maintain Documentation | |
| Assign penetration testing to a qualified internal resource or external third party. CC ID 06429 [The tests are carried out every six months. They must always be performed by independent external auditors. Internal personnel for penetration tests may support the external service providers. OPS-19 ¶ 4 The tests are carried out every six months. They must always be performed by independent external auditors. Internal personnel for penetration tests may support the external service providers. OPS-19 ¶ 4] | Monitoring and measurement | Establish Roles | |
| Ensure protocols are free from injection flaws. CC ID 16401 | Monitoring and measurement | Process or Activity | |
| Prevent adversaries from disabling or compromising security controls. CC ID 17057 | Monitoring and measurement | Technical Security | |
| Establish, implement, and maintain a business line testing strategy. CC ID 13245 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include facilities in the business line testing strategy. CC ID 13253 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include electrical systems in the business line testing strategy. CC ID 13251 [Protection of power supply and telecommunications lines against interruption, interference, damage and eavesdropping. The protection is checked regularly, but at least every two years, as well as in case of suspected manipulation by qualified personnel regarding the following aspects: Conformity of the actual wiring and patching with the documentation; PS-06 ¶ 1(d) Bullet 3 {not be needed} {grounding} Protection of power supply and telecommunications lines against interruption, interference, damage and eavesdropping. The protection is checked regularly, but at least every two years, as well as in case of suspected manipulation by qualified personnel regarding the following aspects: The short-circuits and earthing of unneeded cables are intact; and PS-06 ¶ 1(d) Bullet 4 {unauthorized installation} {unauthorized modification} Protection of power supply and telecommunications lines against interruption, interference, damage and eavesdropping. The protection is checked regularly, but at least every two years, as well as in case of suspected manipulation by qualified personnel regarding the following aspects: Impermissible installations and modifications. PS-06 ¶ 1(d) Bullet 5] | Monitoring and measurement | Establish/Maintain Documentation | |
| Include mechanical systems in the business line testing strategy. CC ID 13250 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include Heating Ventilation and Air Conditioning systems in the business line testing strategy. CC ID 13248 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include emergency power supplies in the business line testing strategy. CC ID 13247 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include environmental controls in the business line testing strategy. CC ID 13246 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a vulnerability management program. CC ID 15721 [{acceptable use policy} Policies and instructions for acceptable use and safe handling of assets are documented, communicated and provided in accordance with SP-01 and address the following aspects of the asset lifecycle as applicable to the asset: dealing with incidents and vulnerabilities; and AM-02 ¶ 1 Bullet 11 The Cloud Service Provider regularly measures, analyses and assesses the procedures with which vulnerabilities and incidents are handled to verify their continued suitability, appropriateness and effectiveness. OPS-20 ¶ 1] | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a vulnerability assessment program. CC ID 11636 [Guidelines and instructions with technical and organisational measures are documented, communicated and provided in accordance with SP-01 to ensure the timely identification and addressing of vulnerabilities in the system components used to provide the cloud service. These guidelines and instructions contain specifications regarding the following aspects: Assessment of the severity of identified vulnerabilities; OPS-18 ¶ 1 Bullet 2] | Monitoring and measurement | Establish/Maintain Documentation | |
| Conduct scanning activities in a test environment. CC ID 17036 | Monitoring and measurement | Testing | |
| Use dedicated user accounts when conducting vulnerability scans. CC ID 12098 | Monitoring and measurement | Technical Security | |
| Record the vulnerability scanning activity in the vulnerability scan report. CC ID 12097 | Monitoring and measurement | Establish/Maintain Documentation | |
| Disseminate and communicate the vulnerability scan results to interested personnel and affected parties. CC ID 16418 [{technical measure} Guidelines and instructions with technical and organisational measures are documented, communicated and provided in accordance with SP-01 to ensure the timely identification and addressing of vulnerabilities in the system components used to provide the cloud service. These guidelines and instructions contain specifications regarding the following aspects: OPS-18 ¶ 1 Identified vulnerabilities and deviations are automatically reported to the appropriate Cloud Service Provider's subject matter experts for immediate assessment and action. COM-03 ¶ 4] | Monitoring and measurement | Communicate | |
| Maintain vulnerability scan reports as organizational records. CC ID 12092 | Monitoring and measurement | Records Management | |
| Employ an approved third party to perform external vulnerability scans on the organization's systems. CC ID 12467 | Monitoring and measurement | Business Processes | |
| Meet the requirements for a passing score during an external vulnerability scan or rescan. CC ID 12039 | Monitoring and measurement | Testing | |
| Approve the vulnerability management program. CC ID 15722 | Monitoring and measurement | Process or Activity | |
| Assign ownership of the vulnerability management program to the appropriate role. CC ID 15723 | Monitoring and measurement | Establish Roles | |
| Perform penetration tests and vulnerability scans in concert, as necessary. CC ID 12111 [The procedures for identifying such vulnerabilities also include annual code reviews or security penetration tests by qualified external third parties. PSS-02 ¶ 4] | Monitoring and measurement | Technical Security | |
| Document and maintain test results. CC ID 17028 [The measures for setting up, implementing, maintaining and continuously improving the ISMS are documented. The documentation includes: Results of the last management review (Sec- tion 9.3). OIS-01 ¶ 2 Bullet 3 {assessment} {incident management} {vulnerability management} Results are evaluated at least quarterly by accountable departments at the Cloud Service Provider to initiate continuous improvement actions and to verify their effectiveness. OPS-20 ¶ 2] | Monitoring and measurement | Testing | |
| Include the pass or fail test status in the test results. CC ID 17106 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include time information in the test results. CC ID 17105 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include a description of the system tested in the test results. CC ID 17104 | Monitoring and measurement | Establish/Maintain Documentation | |
| Disseminate and communicate the test results to interested personnel and affected parties. CC ID 17103 [At the customer's request, the Cloud Service Provider inform the cloud customer of the results of the recovery tests. Recovery tests are embedded in the Cloud Service Provider's emergency management. OPS-08 ¶ 3] | Monitoring and measurement | Communicate | |
| Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a metrics policy. CC ID 01654 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653 | Monitoring and measurement | Establish/Maintain Documentation | |
| Identify and document instances of non-compliance with the compliance framework. CC ID 06499 [In the event of violations of policies and instructions or applicable legal and regulatory requirements, actions are taken in accordance with a defined policy that includes the following aspects: Verifying whether a violation has occurred; and HR-04 ¶ 1 Bullet 1] | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain disciplinary action notices. CC ID 16577 [The use of disciplinary measures is appropriately documented. HR-04 ¶ 3] | Monitoring and measurement | Establish/Maintain Documentation | |
| Include a copy of the order in the disciplinary action notice. CC ID 16606 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the sanctions imposed in the disciplinary action notice. CC ID 16599 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the effective date of the sanctions in the disciplinary action notice. CC ID 16589 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the requirements that were violated in the disciplinary action notice. CC ID 16588 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include responses to charges from interested personnel and affected parties in the disciplinary action notice. CC ID 16587 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the reasons for imposing sanctions in the disciplinary action notice. CC ID 16586 | Monitoring and measurement | Establish/Maintain Documentation | |
| Disseminate and communicate the disciplinary action notice to interested personnel and affected parties. CC ID 16585 [The internal and external employees of the Cloud Service Provider are informed about possible disciplinary measures. HR-04 ¶ 2] | Monitoring and measurement | Communicate | |
| Include required information in the disciplinary action notice. CC ID 16584 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include a justification for actions taken in the disciplinary action notice. CC ID 16583 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include a statement on the conclusions of the investigation in the disciplinary action notice. CC ID 16582 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the investigation results in the disciplinary action notice. CC ID 16581 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include a description of the causes of the actions taken in the disciplinary action notice. CC ID 16580 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the name of the person responsible for the charges in the disciplinary action notice. CC ID 16579 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include contact information in the disciplinary action notice. CC ID 16578 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a log management program. CC ID 00673 | Monitoring and measurement | Establish/Maintain Documentation | |
| Restrict access to logs to authorized individuals. CC ID 01342 [The requirements for the logging and monitoring of events and for the secure handling of metadata are implemented by technically supported procedures with regard to the following restrictions: Access only for authorised users and systems; OPS-12 ¶ 1 Bullet 1] | Monitoring and measurement | Log Management | |
| Refrain from recording unnecessary restricted data in logs. CC ID 06318 [Personal data is automatically removed from the log data before the Cloud Service Provider processes it as far as technically possible. The removal is done in a way that allows the Cloud Service Provider to continue to use the log data for the purpose for which it was collected. OPS-11 ¶ 2 {be specific} {logical separation} The Cloud Service Provider provides a customer-specific logging (in terms of scope and duration of retention period) upon request of the Cloud Customer. Depending on the protection requirements of the Cloud Service Provider and the technical feasibility, a logical or physical separation of log and customer data is carried out. OPS-14 ¶ 3] | Monitoring and measurement | Log Management | |
| Protect logs from unauthorized activity. CC ID 01345 [The logged information is protected from unauthorised access and modification and can be deleted by the Cloud Customer. PSS-04 ¶ 3] | Monitoring and measurement | Log Management | |
| Establish, implement, and maintain a Statement of Compliance. CC ID 12499 [Proof of conformity is always to be provided using the audit standard ISAE 3000 (Revised). Section 3.4.1 ¶ 1] | Audits and risk management | Establish/Maintain Documentation | |
| Publish a Statement of Compliance for the organization's external requirements. CC ID 12350 [{legal framework} The Cloud Service Provider has established policies and instructions that govern the logging and monitoring of events on system components within its area of responsibility. These policies and instructions are documented, communicated and provided according to SP-01 with respect to the following aspects: Compliance with legal and regulatory frameworks. OPS-10 ¶ 1 Bullet 6] | Audits and risk management | Communicate | |
| Include the verification method in the Statement of Compliance. CC ID 16820 | Audits and risk management | Actionable Reports or Measurements | |
| Include a description of the awareness and training program in the Statement of Compliance. CC ID 16817 | Audits and risk management | Actionable Reports or Measurements | |
| Include contact information for the handling of requests and issues in the Statement of Compliance. CC ID 16816 | Audits and risk management | Actionable Reports or Measurements | |
| Include the privacy programs the organization is a member of in the Statement of Compliance. CC ID 16818 | Audits and risk management | Actionable Reports or Measurements | |
| Include the personal data use purpose specification in the Statement of Compliance. CC ID 17175 | Audits and risk management | Establish/Maintain Documentation | |
| Define the roles and responsibilities for personnel assigned to tasks in the Audit function. CC ID 00678 [The report on an attestation engagement includes the following elements: Auditor's responsibility Section 3.4.8 ¶ 2 1 (d)] | Audits and risk management | Establish Roles | |
| Rotate auditors, as necessary. CC ID 15589 | Audits and risk management | Audits and Risk Management | |
| Withdraw the approvals of auditors, as necessary. CC ID 17260 | Audits and risk management | Business Processes | |
| Notify interested personnel and affected parties of the reasons for the withdrawal of auditors. CC ID 17283 | Audits and risk management | Communicate | |
| Define the qualification requirements for auditors. CC ID 17259 | Audits and risk management | Human Resources Management | |
| Disseminate and communicate the auditor's qualification requirements to interested personnel and affected parties. CC ID 17265 [At the client's request, the auditor shall provide appropriate evidence that the audit team meets the qualification requirements. Section 3.4.9 ¶ 5] | Audits and risk management | Communicate | |
| Engage auditors who have adequate knowledge of the subject matter. CC ID 07102 [Therefore, the following aspects are to be fulfilled by those members of the audit team who, according to the International Standard on Quality Control (ISQC) 1 "Quality Control for Firms that Perform Audits and Reviews of Financial Statements, and Other Assurance and Related Services Engagements" or the German IDW quality assurance standard "Anforderungen an die Qual- itätssicherung in der Wirtschaftsprüferpraxis" (IDW QS 1) or other national equivalents of ISQC 1, supervision the execution and review the results of the engagement (including evaluation of the work performed, review of the documentation and the planned reporting): 3 years relevant professional experience with IT audits in a public audit firm Section 3.4.9 ¶ 3 Bullet 1 Therefore, the following aspects are to be fulfilled by those members of the audit team who, according to the International Standard on Quality Control (ISQC) 1 "Quality Control for Firms that Perform Audits and Reviews of Financial Statements, and Other Assurance and Related Services Engagements" or the German IDW quality assurance standard "Anforderungen an die Qualitätssicherung in der Wirtschaftsprüferpraxis" (IDW QS 1) or other national equivalents of ISQC 1, supervision the execution and review the results of the engagement (including evaluation of the work performed, review of the documentation and the planned reporting): or one of the following professional examinations/certifications: Information Systems Audit and Control Association (ISACA) – Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM) or Certified in Risk and Information Systems Control (CRISC) Section 3.4.9 ¶ 4 Bullet 1 Therefore, the following aspects are to be fulfilled by those members of the audit team who, according to the International Standard on Quality Control (ISQC) 1 "Quality Control for Firms that Perform Audits and Reviews of Financial Statements, and Other Assurance and Related Services Engagements" or the German IDW quality assurance standard "Anforderungen an die Qualitätssicherung in der Wirtschaftsprüferpraxis" (IDW QS 1) or other national equivalents of ISQC 1, supervision the execution and review the results of the engagement (including evaluation of the work performed, review of the documentation and the planned reporting): or one of the following professional examinations/certifications: ISO/IEC 27001 Lead Auditor or BSI certified ISO 27001 Auditor for audits based on BSI IT-Grundschutz Section 3.4.9 ¶ 4 Bullet 2 Therefore, the following aspects are to be fulfilled by those members of the audit team who, according to the International Standard on Quality Control (ISQC) 1 "Quality Control for Firms that Perform Audits and Reviews of Financial Statements, and Other Assurance and Related Services Engagements" or the German IDW quality assurance standard "Anforderungen an die Qualitätssicherung in der Wirtschaftsprüferpraxis" (IDW QS 1) or other national equivalents of ISQC 1, supervision the execution and review the results of the engagement (including evaluation of the work performed, review of the documentation and the planned reporting): or one of the following professional examinations/certifications: Cloud Security Alliance (CSA) – Certificate of Cloud Security Knowledge (CCSK) Section 3.4.9 ¶ 4 Bullet 3 Therefore, the following aspects are to be fulfilled by those members of the audit team who, according to the International Standard on Quality Control (ISQC) 1 "Quality Control for Firms that Perform Audits and Reviews of Financial Statements, and Other Assurance and Related Services Engagements" or the German IDW quality assurance standard "Anforderungen an die Qualitätssicherung in der Wirtschaftsprüferpraxis" (IDW QS 1) or other national equivalents of ISQC 1, supervision the execution and review the results of the engagement (including evaluation of the work performed, review of the documentation and the planned reporting): or one of the following professional examinations/certifications: (ISC)² – Certified Cloud Security Professional (CCSP) Section 3.4.9 ¶ 4 Bullet 4] | Audits and risk management | Audits and Risk Management | |
| Include roles and responsibilities in external auditor outsourcing contracts. CC ID 16523 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an audit program. CC ID 00684 [In this context, Cloud Service Providers and auditors shall have sufficient time to make the necessary adjustments to the systems and processes and to the execution of the audit associated with the updating of this criteria catalogue. Section 3.5 ¶ 2] | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain audit policies. CC ID 13166 | Audits and risk management | Establish/Maintain Documentation | |
| Define what constitutes a threat to independence. CC ID 16824 | Audits and risk management | Audits and Risk Management | |
| Mitigate the threats to an auditor's independence. CC ID 17282 | Audits and risk management | Process or Activity | |
| Include resource requirements in the audit program. CC ID 15237 | Audits and risk management | Establish/Maintain Documentation | |
| Include risks and opportunities in the audit program. CC ID 15236 | Audits and risk management | Establish/Maintain Documentation | |
| Establish and maintain audit terms. CC ID 13880 [{independent audit report} The report on an attestation engagement includes the following elements: General terms of the engagement Section 3.4.8 ¶ 2 1 (h) Since in the case of a direct engagement, the audit is not based on a system description provided by the Cloud Service Provider, the auditor must document details of the general conditions in accordance with the information provided by the Cloud Service Provider. Section 4 ¶ 2] | Audits and risk management | Establish/Maintain Documentation | |
| Refrain from approving changes to the audit terms absent reasonable justification. CC ID 13973 | Audits and risk management | Process or Activity | |
| Include a statement about the inherent limitations of the audit in the audit terms. CC ID 13883 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that the audit will be conducted in accordance with attestation standards in the audit terms. CC ID 13882 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain agreed upon procedures that are in scope for the audit. CC ID 13893 [In this context, Cloud Service Providers and auditors shall have sufficient time to make the necessary adjustments to the systems and processes and to the execution of the audit associated with the updating of this criteria catalogue. Section 3.5 ¶ 2 Policies and instructions for planning and conducting audits are documented, communicated and made available in accordance with SP-01 and address the following aspects: COM-02 ¶ 1] | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an in scope system description. CC ID 14873 [According to the BSI, Cloud Service Providers who already have a system description can reuse it in audits according to this criteria catalogue. However, an existing system description that meets the requirements of another standard must be adapted to this criteria catalogue, as necessary. Section 3.4.3.1 ¶ 3 In the system description and the contractual agreements (e.g. service description), the Cloud Service Provider clearly provides comprehensible and transparent information on: Its jurisdiction; and BC-01 ¶ 1 Bullet 1 In the system description, the Cloud Service Provider provides comprehensible and transparent information on existing and valid certifications or attestations by independent third parties relating to the following aspects of the cloud service: the suitability and effectiveness of the internal control system in relation to the applicable criteria; and BC-06 ¶ 1 Bullet 3] | Audits and risk management | Establish/Maintain Documentation | |
| Include in scope procedures in the audit assertion's in scope system description. CC ID 16551 | Audits and risk management | Audits and Risk Management | |
| Include roles and responsibilities in the audit assertion's in scope system description. CC ID 16558 | Audits and risk management | Audits and Risk Management | |
| Include the audit criteria in the audit assertion's in scope system description. CC ID 16548 [{audit criteria} The Cloud Service Provider must explain in the description of the system if individual basic or additional criteria are not applicable due to the nature and design of the cloud service or the principles, procedures and measures of the Cloud Service Provider. Based on the information provided by the Cloud Service Provider, the auditor must assess to what extent the C5 criteria are not applicable, and if applicable whether they are fully applicable or partially fulfilled. The Cloud Service Provider must explain in the description of the system if individual basic or additional criteria are not applicable due to the nature and design of the cloud service or the principles, procedures and measures of the Cloud Service Provider. Based on the information provided by the Cloud Service Provider, the auditor must assess to what extent the C5 criteria are not applicable, and if applicable whether they are fully or partially fulfilled. Section 3.4.2.1 ¶ 2] | Audits and risk management | Audits and Risk Management | |
| Include facility locations in the audit assertion's in scope system description. CC ID 17261 [{audit criteria} For an attestation engagement, the Cloud Service Provider's service-related system of internal control to meet the C5 criteria shall include the following minimum content in order to provide customers with sufficient transparency about the information security of the cloud service: Functions and services with respect to the applicable C5 criteria provided by subservice organisations, including the type and scope of such functions and services, the location of processing and storage of data, the complexity and uniqueness of the functions and services as well as the resulting dependency of the Cloud Service Provider, (if carve-out method is applied) complementary controls assumed in the design of the Cloud Service Provider's controls, and the availability of audit reports according to the criteria in this criteria catalogue. Section 3.4.4.1 ¶ 1 Bullet 8 {audit criteria} For an attestation engagement, the Cloud Service Provider's service-related system of internal control to meet the C5 criteria shall include the following minimum content in order to provide customers with sufficient transparency about the information security of the cloud service: Functions and services with respect to the applicable C5 criteria provided by subservice organisations, including the type and scope of such functions and services, the location of processing and storage of data, the complexity and uniqueness of the functions and services as well as the resulting dependency of the Cloud Service Provider, (if carve-out method is applied) complementary controls assumed in the design of the Cloud Service Provider's controls, and the availability of audit reports according to the criteria in this criteria catalogue. Section 3.4.4.1 ¶ 1 Bullet 8 In the system description and the contractual agreements (e.g. service description), the Cloud Service Provider clearly provides comprehensible and transparent information on: System component locations, including its subcontractors, where the cloud customer's data is processed, stored and backed up. BC-01 ¶ 1 Bullet 2] | Audits and risk management | Establish/Maintain Documentation | |
| Include third party data in the audit assertion's in scope system description. CC ID 16554 | Audits and risk management | Audits and Risk Management | |
| Include third party personnel in the audit assertion's in scope system description. CC ID 16552 | Audits and risk management | Audits and Risk Management | |
| Include compliance requirements in the audit assertion's in scope system description. CC ID 16506 [In the system description, the Cloud Service Provider provides comprehensible and transparent information on existing and valid certifications or attestations by independent third parties relating to the following aspects of the cloud service: compliance of the management systems for information security, business continuity and quality with applicable international standards; BC-06 ¶ 1 Bullet 1 In the system description, the Cloud Service Provider provides comprehensible and transparent information on existing and valid certifications or attestations by independent third parties relating to the following aspects of the cloud service: compliance with the European General Data Protection Regulation (GDPR); BC-06 ¶ 1 Bullet 2 In the system description, the Cloud Service Provider provides comprehensible and transparent information on existing and valid certifications or attestations by independent third parties relating to the following aspects of the cloud service: certifications or attestations according to industry-specific requirements of cloud customers. BC-06 ¶ 1 Bullet 4] | Audits and risk management | Audits and Risk Management | |
| Include third party assets in the audit assertion's in scope system description. CC ID 16550 | Audits and risk management | Audits and Risk Management | |
| Include third party services in the audit assertion's in scope system description. CC ID 16503 [{audit criteria} For an attestation engagement, the Cloud Service Provider's service-related system of internal control to meet the C5 criteria shall include the following minimum content in order to provide customers with sufficient transparency about the information security of the cloud service: Functions and services with respect to the applicable C5 criteria provided by subservice organisations, including the type and scope of such functions and services, the location of processing and storage of data, the complexity and uniqueness of the functions and services as well as the resulting dependency of the Cloud Service Provider, (if carve-out method is applied) complementary controls assumed in the design of the Cloud Service Provider's controls, and the availability of audit reports according to the criteria in this criteria catalogue. Section 3.4.4.1 ¶ 1 Bullet 8 {audit criteria} For an attestation engagement, the Cloud Service Provider's service-related system of internal control to meet the C5 criteria shall include the following minimum content in order to provide customers with sufficient transparency about the information security of the cloud service: Functions and services with respect to the applicable C5 criteria provided by subservice organisations, including the type and scope of such functions and services, the location of processing and storage of data, the complexity and uniqueness of the functions and services as well as the resulting dependency of the Cloud Service Provider, (if carve-out method is applied) complementary controls assumed in the design of the Cloud Service Provider's controls, and the availability of audit reports according to the criteria in this criteria catalogue. Section 3.4.4.1 ¶ 1 Bullet 8 {audit criteria} For an attestation engagement, the Cloud Service Provider's service-related system of internal control to meet the C5 criteria shall include the following minimum content in order to provide customers with sufficient transparency about the information security of the cloud service: Functions and services with respect to the applicable C5 criteria provided by subservice organisations, including the type and scope of such functions and services, the location of processing and storage of data, the complexity and uniqueness of the functions and services as well as the resulting dependency of the Cloud Service Provider, (if carve-out method is applied) complementary controls assumed in the design of the Cloud Service Provider's controls, and the availability of audit reports according to the criteria in this criteria catalogue. Section 3.4.4.1 ¶ 1 Bullet 8 If necessary, the Cloud Service Provider will outsource parts of its business processes for the provision of the cloud service to other service providers (use of subservice organisations). The Cloud Service Provider describes this in its description and the auditor takes this into consideration as specified in the audit standards ISAE 3402. The standard distinguishes for an attestation engagement between the "inclusive method" and the "carve-out method": Section 3.4.5 ¶ 1] | Audits and risk management | Establish/Maintain Documentation | |
| Include monitoring controls in the audit assertion's in scope system description. CC ID 16501 | Audits and risk management | Establish/Maintain Documentation | |
| Include availability commitments in the audit assertion's in scope system description. CC ID 14914 [{audit criteria} For an attestation engagement, the Cloud Service Provider's service-related system of internal control to meet the C5 criteria shall include the following minimum content in order to provide customers with sufficient transparency about the information security of the cloud service: Functions and services with respect to the applicable C5 criteria provided by subservice organisations, including the type and scope of such functions and services, the location of processing and storage of data, the complexity and uniqueness of the functions and services as well as the resulting dependency of the Cloud Service Provider, (if carve-out method is applied) complementary controls assumed in the design of the Cloud Service Provider's controls, and the availability of audit reports according to the criteria in this criteria catalogue. Section 3.4.4.1 ¶ 1 Bullet 8 When auditing operating effectiveness (type 2 reporting), the following minimum contents shall be added to the system description: Details on significant events and conditions that are exceptions to normal operation, that have occurred throughout the specified period and have resulted in: contractual agreements regarding the availability of the Cloud Service not being fulfilled, or Section 3.4.4.1 ¶ 2 Bullet 2 Sub-bullet 1] | Audits and risk management | Establish/Maintain Documentation | |
| Include deviations and the corrective actions taken in the audit assertion's in scope system description. CC ID 16549 | Audits and risk management | Audits and Risk Management | |
| Include changes in the audit assertion's in scope system description. CC ID 14894 [When auditing operating effectiveness (type 2 reporting), the following minimum contents shall be added to the system description: Details on significant changes to the policies, procedures and measures, including the controls, to govern the provisioning (development and operation) of the Cloud Services with respect to the applicable C5 Criteria, that have been implemented during the period under review; Section 3.4.4.1 ¶ 2 Bullet 1 If the Cloud Service Provider can provide evidence of additional controls not previously stated in the description, but in place for non-covered elements of the C5 criteria, the Cloud Service Provider shall include these controls in the description or adjust the existing control descriptions and present these changes in an appropriate form. Section 3.4.6 ¶ 2 In the course of a specified period, it may happen that the assessment of the effectiveness of the policies, procedures and measures applied by the Cloud Service Provider relates both to the status before and after the implementation of such adjustments. The system description should include the adjustments made (cf. Section 3.4.4.1). In the case of a direct engagement, the auditor must obtain and disclose this information. Section 3.5 ¶ 4 In the course of a specified period, it may happen that the assessment of the effectiveness of the policies, procedures and measures applied by the Cloud Service Provider relates both to the status before and after the implementation of such adjustments. The system description should include the adjustments made (cf. Section 3.4.4.1). In the case of a direct engagement, the auditor must obtain and disclose this information. Section 3.5 ¶ 4] | Audits and risk management | Establish/Maintain Documentation | |
| Include external communications in the audit assertion's in scope system description. CC ID 14913 | Audits and risk management | Establish/Maintain Documentation | |
| Include a section regarding incidents related to the system in the audit assertion’s in scope system description. CC ID 14878 [When auditing operating effectiveness (type 2 reporting), the following minimum contents shall be added to the system description: Details on significant events and conditions that are exceptions to normal operation, that have occurred throughout the specified period and have resulted in: Section 3.4.4.1 ¶ 2 Bullet 2 When auditing operating effectiveness (type 2 reporting), the following minimum contents shall be added to the system description: Details on significant events and conditions that are exceptions to normal operation, that have occurred throughout the specified period and have resulted in: unauthorised third parties having gained access to the data of cloud customers stored in the cloud service, or Section 3.4.4.1 ¶ 2 Bullet 2 Sub-bullet 2 When auditing operating effectiveness (type 2 reporting), the following minimum contents shall be added to the system description: Details on significant events and conditions that are exceptions to normal operation, that have occurred throughout the specified period and have resulted in: the integrity of the data stored in the cloud service was compromised and the protective measures put in place (e.g. data backup) were not effective, Section 3.4.4.1 ¶ 2 Bullet 2 Sub-bullet 3] | Audits and risk management | Establish/Maintain Documentation | |
| Include the function performed by the in scope system in the audit assertion's in scope system description. CC ID 14911 | Audits and risk management | Establish/Maintain Documentation | |
| Include the disposition of the incident in the audit assertion's in scope system description. CC ID 14896 | Audits and risk management | Establish/Maintain Documentation | |
| Include the extent of the incident in the audit assertion's in scope system description. CC ID 14895 | Audits and risk management | Establish/Maintain Documentation | |
| Include the timing of each incident in the audit assertion's in scope system description. CC ID 14891 | Audits and risk management | Establish/Maintain Documentation | |
| Include the nature of each incident in the audit assertion's in scope system description. CC ID 14889 | Audits and risk management | Establish/Maintain Documentation | |
| Include a section regarding in scope controls related to the system in the audit assertion's in scope system description. CC ID 14897 [When auditing operating effectiveness (type 2 reporting), the following minimum contents shall be added to the system description: Details on significant events and conditions that are exceptions to normal operation, that have occurred throughout the specified period and have resulted in: the integrity of the data stored in the cloud service was compromised and the protective measures put in place (e.g. data backup) were not effective, Section 3.4.4.1 ¶ 2 Bullet 2 Sub-bullet 3 When auditing operating effectiveness (type 2 reporting), the following minimum contents shall be added to the system description: Details on significant events and conditions that are exceptions to normal operation, that have occurred throughout the specified period and have resulted in: as well as the measures initiated by the Cloud Service Provider to prevent such events and conditions in the future. Section 3.4.4.1 ¶ 3 If the Cloud Service Provider can provide evidence of additional controls not previously stated in the description, but in place for non-covered elements of the C5 criteria, the Cloud Service Provider shall include these controls in the description or adjust the existing control descriptions and present these changes in an appropriate form. Section 3.4.6 ¶ 2 The report on an attestation engagement includes the following elements: Description of the Cloud Service Provider's service-related system of internal control to meet the C5 criteria. Section 3.4.8 ¶ 2 3.] | Audits and risk management | Establish/Maintain Documentation | |
| Include how the in scope system meets external requirements in the audit assertion's in scope system description. CC ID 16502 | Audits and risk management | Establish/Maintain Documentation | |
| Include the timing of each control in the audit assertion's in scope system description. CC ID 14916 | Audits and risk management | Establish/Maintain Documentation | |
| Include the nature of the control in the audit assertion's in scope system description. CC ID 14910 | Audits and risk management | Establish/Maintain Documentation | |
| Include the information sources used in performing the control in the audit assertion's in scope system description. CC ID 14909 | Audits and risk management | Establish/Maintain Documentation | |
| Include the responsible party for performing the control in the audit assertion's in scope system description. CC ID 14907 | Audits and risk management | Establish/Maintain Documentation | |
| Include the subject matter to which the control is applied in the audit assertion's in scope system description. CC ID 14904 | Audits and risk management | Establish/Maintain Documentation | |
| Refrain from omitting or distorting information in the audit assertion's in scope system description. CC ID 14893 [{in scope system description} {refrain from distorting} The description shall not omit or distort any information relevant to the fulfilment of the applicable C5 criteria. This does not mean that all aspects of the service-related internal control system that can be considered important from the point of view of individual customers of the Cloud Service Provider should be presented. It should be noted that the description is intended to achieve an appropriate level of transparency for a broad range of customers and that some of the processes can be customised. Section 3.4.4.1 ¶ 5] | Audits and risk management | Establish/Maintain Documentation | |
| Include the timing of each change in the audit assertion's in scope system description. CC ID 14892 | Audits and risk management | Establish/Maintain Documentation | |
| Include the system boundaries in the audit assertion's in scope system description. CC ID 14887 | Audits and risk management | Establish/Maintain Documentation | |
| Include the time frame covered by the description in the audit assertion's in scope system description. CC ID 14884 [To the extent applicable for the certification or attestation, the following information are provided: date or period of validity or coverage. BC-06 ¶ 2 Bullet 3] | Audits and risk management | Establish/Maintain Documentation | |
| Include commitments to third parties in the audit assertion. CC ID 14899 | Audits and risk management | Establish/Maintain Documentation | |
| Determine the completeness of the audit assertion's in scope system description. CC ID 14883 | Audits and risk management | Establish/Maintain Documentation | |
| Include system requirements in the audit assertion's in scope system description. CC ID 14881 | Audits and risk management | Establish/Maintain Documentation | |
| Include third party controls in the audit assertion's in scope system description. CC ID 14880 [{audit criteria} For an attestation engagement, the Cloud Service Provider's service-related system of internal control to meet the C5 criteria shall include the following minimum content in order to provide customers with sufficient transparency about the information security of the cloud service: Functions and services with respect to the applicable C5 criteria provided by subservice organisations, including the type and scope of such functions and services, the location of processing and storage of data, the complexity and uniqueness of the functions and services as well as the resulting dependency of the Cloud Service Provider, (if carve-out method is applied) complementary controls assumed in the design of the Cloud Service Provider's controls, and the availability of audit reports according to the criteria in this criteria catalogue. Section 3.4.4.1 ¶ 1 Bullet 8] | Audits and risk management | Establish/Maintain Documentation | |
| Hold an opening meeting with interested personnel and affected parties prior to an audit. CC ID 15256 | Audits and risk management | Audits and Risk Management | |
| Identify personnel who should attend the closing meeting. CC ID 15261 | Audits and risk management | Business Processes | |
| Include discussions about how particular situations will be handled in the opening meeting. CC ID 15254 | Audits and risk management | Audits and Risk Management | |
| Include agreement to the audit scope and audit terms in the audit program. CC ID 06965 | Audits and risk management | Establish/Maintain Documentation | |
| Establish and maintain a bespoke audit scope for each audit being performed. CC ID 13077 | Audits and risk management | Establish/Maintain Documentation | |
| Include third party assets in the audit scope. CC ID 16504 [{cannot provide} {complementary user entity control} In case no reports can be provided, the Cloud Service Provider agrees appropriate information and audit rights to assess the suitability and effectiveness of the service-related internal control system, including the complementary controls, by qualified personnel. SSO-01 ¶ 4] | Audits and risk management | Audits and Risk Management | |
| Include audit subject matter in the audit program. CC ID 07103 | Audits and risk management | Establish/Maintain Documentation | |
| Examine the availability of the audit criteria in the audit program. CC ID 16520 | Audits and risk management | Investigate | |
| Examine the relevance of the audit criteria in the audit program. CC ID 07107 [{audit criteria} The Cloud Service Provider must explain in the description of the system if individual basic or additional criteria are not applicable due to the nature and design of the cloud service or the principles, procedures and measures of the Cloud Service Provider. Based on the information provided by the Cloud Service Provider, the auditor must assess to what extent the C5 criteria are not applicable, and if applicable whether they are fully applicable or partially fulfilled. The Cloud Service Provider must explain in the description of the system if individual basic or additional criteria are not applicable due to the nature and design of the cloud service or the principles, procedures and measures of the Cloud Service Provider. Based on the information provided by the Cloud Service Provider, the auditor must assess to what extent the C5 criteria are not applicable, and if applicable whether they are fully or partially fulfilled. Section 3.4.2.1 ¶ 2 {audit criteria} The Cloud Service Provider must explain in the description of the system if individual basic or additional criteria are not applicable due to the nature and design of the cloud service or the principles, procedures and measures of the Cloud Service Provider. Based on the information provided by the Cloud Service Provider, the auditor must assess to what extent the C5 criteria are not applicable, and if applicable whether they are fully applicable or partially fulfilled. The Cloud Service Provider must explain in the description of the system if individual basic or additional criteria are not applicable due to the nature and design of the cloud service or the principles, procedures and measures of the Cloud Service Provider. Based on the information provided by the Cloud Service Provider, the auditor must assess to what extent the C5 criteria are not applicable, and if applicable whether they are fully or partially fulfilled. Section 3.4.2.1 ¶ 2] | Audits and risk management | Establish/Maintain Documentation | |
| Determine the appropriateness of the audit subject matter. CC ID 16505 | Audits and risk management | Audits and Risk Management | |
| Disseminate and communicate the audit program with the audit subject matter and audit criteria to all interested personnel and affected parties. CC ID 07116 [Policies and instructions for planning and conducting audits are documented, communicated and made available in accordance with SP-01 and address the following aspects: COM-02 ¶ 1] | Audits and risk management | Establish/Maintain Documentation | |
| Include in scope information in the audit program. CC ID 16198 | Audits and risk management | Establish/Maintain Documentation | |
| Include the date of the audit in the representation letter. CC ID 16517 | Audits and risk management | Audits and Risk Management | |
| Include a statement that management has evaluated compliance with external requirements in the representation letter. CC ID 13942 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that management has disclosed the implementation status in the representation letter. CC ID 17162 | Audits and risk management | Audits and Risk Management | |
| Include a statement that the assumptions used for estimates are reasonable in the representation letter. CC ID 13934 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that uncorrected misstatements are believed to be immaterial in the representation letter. CC ID 13884 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that system incidents have been disclosed to the auditor in the representation letter. CC ID 16772 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that incidents of fraud and non-compliance have been disclosed to the auditor in the representation letter. CC ID 16769 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that deficiencies in internal controls have been disclosed to the auditor in the representation letter. CC ID 13899 | Audits and risk management | Establish/Maintain Documentation | |
| Include an in scope system description in the audit assertion. CC ID 14872 | Audits and risk management | Establish/Maintain Documentation | |
| Include any assumptions that are improbable in the audit assertion. CC ID 13950 | Audits and risk management | Establish/Maintain Documentation | |
| Include investigations and legal proceedings in the audit assertion. CC ID 16846 | Audits and risk management | Establish/Maintain Documentation | |
| Include why specific criteria are ignored by in scope controls in the audit assertion. CC ID 07027 [{audit criteria} The Cloud Service Provider must explain in the description of the system if individual basic or additional criteria are not applicable due to the nature and design of the cloud service or the principles, procedures and measures of the Cloud Service Provider. Based on the information provided by the Cloud Service Provider, the auditor must assess to what extent the C5 criteria are not applicable, and if applicable whether they are fully applicable or partially fulfilled. The Cloud Service Provider must explain in the description of the system if individual basic or additional criteria are not applicable due to the nature and design of the cloud service or the principles, procedures and measures of the Cloud Service Provider. Based on the information provided by the Cloud Service Provider, the auditor must assess to what extent the C5 criteria are not applicable, and if applicable whether they are fully or partially fulfilled. Section 3.4.2.1 ¶ 2] | Audits and risk management | Establish/Maintain Documentation | |
| Include the responsible party's opinion of the quality of the evidence in the audit assertion. CC ID 13949 | Audits and risk management | Establish/Maintain Documentation | |
| Include any in scope uncorrected errors or non-compliance issues in the audit assertion. CC ID 06989 [If the specified period ends in a period which is up to three months before February 15, 2021, the Cloud Service Provider shall provide additional information in the system description regarding the necessary changes to its service-related internal control system which have not been completed. The details should include what measures are to be completed or effectively implemented. In the case of a direct engagement, the auditor shall obtain and disclose this information. Section 3.5 ¶ 5] | Audits and risk management | Establish/Maintain Documentation | |
| Include the scope for the desired level of assurance in the audit program. CC ID 12793 [The ISAE 3000 (Revised) audit standard distinguishes between audit engagements with "reasonable assurance" and audit engagements with "limited assurance". According to the BSI, auditors should perform reasonable assurance audits to provide conformity with this criteria catalogue. Section 3.4.1 ¶ 2] | Audits and risk management | Communicate | |
| Include how access to in scope systems, personnel and in scope records are provided to the auditor in the audit terms. CC ID 06988 [Irrespective of the assessment as to whether a deviation leads to a qualified opinion, further information should be presented in the audit report. This information is intended to enable report recipients to assess whether the Cloud Service Provider is taking appropriate actions to handle errors and optimise its policies, procedures and actions. The following additional information from the Cloud Service Provider shall be included in the audit report: If the deviation was already stated in a report of a previous audit, an indication should be given of when and by what means the deviation was detected, together with a separate indication that the detection occurred in a previous audit period. This requires that the auditor has access to prior reports from the Cloud Service Provider. In case of doubt, the auditor shall have the inspection of these reports separately assured in his engagement letter. Section 3.4.7 ¶ 2 Bullet 2] | Audits and risk management | Establish/Maintain Documentation | |
| Include the criteria for determining the desired level of assurance in the audit program. CC ID 12795 [When assessing the coverage of C5 criteria by results obtained during other audits, particular consideration shall be given to the nature of the audit and compared with the 'reasonable assurance' required for an attestation engagement or a direct engagement (cf. Section 3.4.1). For example, results from ISO certification audits are to be assessed differently from those obtained from an ISAE 3000 audit. Section 3.3 ¶ 4] | Audits and risk management | Audits and Risk Management | |
| Establish, implement, and maintain procedures for determining the desired level of assurance in the audit program. CC ID 12794 [According to ISAE 3000 (Revised), the auditor must determine before accepting an engagement that the professional duties (for auditors in Germany § 43 WPO, German Law regulating the Profession of Wirtschaftsprüfer: Wirtschaftsprüferordnung), including the duty of independence, are complied with. Based on the auditor's knowledge of the subject matter, the auditor shall assess whether the members of the audit team entrusted with the engagement have the necessary competency and understanding of the industry as well as capabilities to perform the audit and whether sufficient experience with the relevant formal requirements is available or can be obtained. Section 3.4.9 ¶ 1] | Audits and risk management | Establish/Maintain Documentation | |
| Establish and maintain a practitioner’s report on management’s assertions, as necessary. CC ID 13888 | Audits and risk management | Establish/Maintain Documentation | |
| Hold a closing meeting following an audit to present audit findings and conclusions. CC ID 15248 | Audits and risk management | Communicate | |
| Schedule attestation engagement meetings with interested personnel and affected parties, as necessary. CC ID 15263 | Audits and risk management | Business Processes | |
| Refrain from accepting an attestation engagement when the engaging party refuses to sign the engagement letter. CC ID 14912 | Audits and risk management | Business Processes | |
| Refrain from accepting an attestation engagement unless the prospective financial information includes a summary of significant assumptions. CC ID 13954 | Audits and risk management | Behavior | |
| Refrain from accepting an attestation engagement when all parties disagree on the procedures. CC ID 13951 | Audits and risk management | Audits and Risk Management | |
| Accept the attestation engagement when all preconditions are met. CC ID 13933 | Audits and risk management | Business Processes | |
| Audit in scope audit items and compliance documents. CC ID 06730 [Subject matter experts check the compliance of the information security management system at regular intervals, at least annually, with the relevant and applicable legal, regulatory, self-imposed or contractual requirements (cf. COM-01) as well as compliance with the policies and instructions (cf. SP-01) within their scope of responsibility (cf. OIS-01) through internal audits. COM-03 ¶ 1] | Audits and risk management | Audits and Risk Management | |
| Conduct onsite inspections, as necessary. CC ID 16199 | Audits and risk management | Testing | |
| Audit policies, standards, and procedures. CC ID 12927 [Subject matter experts check the compliance of the information security management system at regular intervals, at least annually, with the relevant and applicable legal, regulatory, self-imposed or contractual requirements (cf. COM-01) as well as compliance with the policies and instructions (cf. SP-01) within their scope of responsibility (cf. OIS-01) through internal audits. COM-03 ¶ 1] | Audits and risk management | Audits and Risk Management | |
| Review documentation to determine the effectiveness of in scope controls. CC ID 16522 | Audits and risk management | Process or Activity | |
| Refrain from using audit evidence that is not sufficient. CC ID 17163 | Audits and risk management | Audits and Risk Management | |
| Report that audit evidence collected was not sufficient to the proper authorities. CC ID 16847 | Audits and risk management | Communicate | |
| Establish, implement, and maintain interview procedures. CC ID 16282 | Audits and risk management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the interview procedures. CC ID 16297 | Audits and risk management | Human Resources Management | |
| Coordinate the scheduling of interviews. CC ID 16293 | Audits and risk management | Process or Activity | |
| Create a schedule for the interviews. CC ID 16292 | Audits and risk management | Process or Activity | |
| Identify interviewees. CC ID 16290 | Audits and risk management | Process or Activity | |
| Explain the testing results to the interviewee. CC ID 16291 | Audits and risk management | Process or Activity | |
| Establish and maintain work papers, as necessary. CC ID 13891 | Audits and risk management | Establish/Maintain Documentation | |
| Include the auditor's conclusions on work performed by individuals assigned to the audit in the work papers. CC ID 16775 | Audits and risk management | Establish/Maintain Documentation | |
| Include audit irregularities in the work papers. CC ID 16774 | Audits and risk management | Establish/Maintain Documentation | |
| Include corrective actions in the work papers. CC ID 16771 | Audits and risk management | Establish/Maintain Documentation | |
| Include information about the organization being audited and the auditor performing the audit in the work papers. CC ID 16770 | Audits and risk management | Establish/Maintain Documentation | |
| Include discussions with interested personnel and affected parties in the work papers. CC ID 16768 | Audits and risk management | Establish/Maintain Documentation | |
| Include justification for departing from mandatory requirements in the work papers. CC ID 13935 | Audits and risk management | Establish/Maintain Documentation | |
| Include audit evidence obtained from previous engagements in the work papers. CC ID 16518 | Audits and risk management | Audits and Risk Management | |
| Engage subject matter experts when the auditor requires additional expertise during an attestation engagement, as necessary. CC ID 13971 | Audits and risk management | Process or Activity | |
| Establish, implement, and maintain a practitioner’s report on agreed-upon procedures. CC ID 13894 | Audits and risk management | Establish/Maintain Documentation | |
| Provide auditors access to all in scope records, in scope assets, personnel and in scope procedures. CC ID 06966 [Irrespective of the assessment as to whether a deviation leads to a qualified opinion, further information should be presented in the audit report. This information is intended to enable report recipients to assess whether the Cloud Service Provider is taking appropriate actions to handle errors and optimise its policies, procedures and actions. The following additional information from the Cloud Service Provider shall be included in the audit report: If the deviation was already stated in a report of a previous audit, an indication should be given of when and by what means the deviation was detected, together with a separate indication that the detection occurred in a previous audit period. This requires that the auditor has access to prior reports from the Cloud Service Provider. In case of doubt, the auditor shall have the inspection of these reports separately assured in his engagement letter. Section 3.4.7 ¶ 2 Bullet 2 {cannot provide} {complementary user entity control} In case no reports can be provided, the Cloud Service Provider agrees appropriate information and audit rights to assess the suitability and effectiveness of the service-related internal control system, including the complementary controls, by qualified personnel. SSO-01 ¶ 4 Policies and instructions for planning and conducting audits are documented, communicated and made available in accordance with SP-01 and address the following aspects: Restriction to read-only access to system components in accordance with the agreed audit plan and as necessary to perform the activities; COM-02 ¶ 1 Bullet 1] | Audits and risk management | Audits and Risk Management | |
| Establish and maintain a practitioner's examination report on pro forma financial information. CC ID 13968 | Audits and risk management | Establish/Maintain Documentation | |
| Include references to where financial information was derived in the practitioner's review report on pro forma financial information. CC ID 13982 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that the financial statements used were audited by other practitioners in the practitioner's examination report on pro forma financial information, as necessary. CC ID 13981 | Audits and risk management | Establish/Maintain Documentation | |
| Establish and maintain organizational audit reports. CC ID 06731 [{independent audit report} The report on an attestation engagement includes the following elements: Independent auditor's report Section 3.4.8 ¶ 2 1.] | Audits and risk management | Establish/Maintain Documentation | |
| Include the purpose in the audit report. CC ID 17263 [{independent audit report} The report on an attestation engagement includes the following elements: Intended users and purpose Section 3.4.8 ¶ 2 1 (g)] | Audits and risk management | Establish/Maintain Documentation | |
| Include the justification for not following the applicable requirements in the audit report. CC ID 16822 | Audits and risk management | Audits and Risk Management | |
| Include a statement that the applicable requirements were not followed in the audit report. CC ID 16821 | Audits and risk management | Audits and Risk Management | |
| Include audit subject matter in the audit report. CC ID 14882 [In the case of a direct engagement, the auditor shall present the above-mentioned minimum content in all material aspects as part of the audit report so that the intended customers can obtain an appropriate understanding of the information security of the cloud service, including the principles, procedures and measures applied. This includes sufficient information on the general conditions of the cloud service (cf. Section 4). Section 3.4.4.1 ¶ 6] | Audits and risk management | Establish/Maintain Documentation | |
| Include an other-matter paragraph in the audit report. CC ID 14901 | Audits and risk management | Establish/Maintain Documentation | |
| Include that the auditee did not provide comments in the audit report. CC ID 16849 | Audits and risk management | Establish/Maintain Documentation | |
| Include written agreements in the audit report. CC ID 17266 [In this context, a reference to a liability agreement must be made in the audit report. Section 3.4.10 ¶ 3] | Audits and risk management | Establish/Maintain Documentation | |
| Write the audit report using clear and conspicuous language. CC ID 13948 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that the sufficiency of the agreed upon procedures is the responsibility of the specified parties in the audit report. CC ID 13936 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that the financial statements were audited in the audit report. CC ID 13963 | Audits and risk management | Establish/Maintain Documentation | |
| Include the criteria that financial information was measured against in the audit report. CC ID 13966 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of the financial information being reported on in the audit report. CC ID 13965 | Audits and risk management | Establish/Maintain Documentation | |
| Include references to any adjustments of financial information in the audit report. CC ID 13964 | Audits and risk management | Establish/Maintain Documentation | |
| Include in the audit report that audit opinions are not dependent on references to subject matter experts, as necessary. CC ID 13953 | Audits and risk management | Establish/Maintain Documentation | |
| Include references to historical financial information used in the audit report. CC ID 13961 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement about the inherent limitations of the audit in the audit report. CC ID 14900 [{independent audit report} The report on an attestation engagement includes the following elements: Inherent limitations Section 3.4.8 ¶ 2 1 (e)] | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of the limitations on the usefulness of hypothetical assumptions in the audit report. CC ID 13958 | Audits and risk management | Establish/Maintain Documentation | |
| Include the word independent in the title of audit reports. CC ID 07003 [{independent audit report} The report on an attestation engagement includes the following elements: Independence and quality control of the auditor/auditing firm (including information on compliance with qualification requirements (cf. Section 3.4.9) Section 3.4.8 ¶ 2 1 (c)] | Audits and risk management | Actionable Reports or Measurements | |
| Structure the audit report to be in the form of procedures and findings. CC ID 13940 | Audits and risk management | Establish/Maintain Documentation | |
| Include information about the organization being audited and the auditor performing the audit in the audit report. CC ID 07004 [{independent audit report} The report on an attestation engagement includes the following elements: Independence and quality control of the auditor/auditing firm (including information on compliance with qualification requirements (cf. Section 3.4.9) Section 3.4.8 ¶ 2 1 (c)] | Audits and risk management | Actionable Reports or Measurements | |
| Include any discussions of significant findings in the audit report. CC ID 13955 | Audits and risk management | Establish/Maintain Documentation | |
| Include the date and with whom discussions about significant findings took place in the audit report. CC ID 13962 | Audits and risk management | Establish/Maintain Documentation | |
| Include the audit criteria in the audit report. CC ID 13945 [{audit criteria} {be applicable} The applicable C5 criteria are to be presented in the audit report's section containing the C5 criteria, controls, test procedures and results. Section 3.4.2.1 ¶ 3 {audit criteria} The report on an attestation engagement includes the following elements: Presentation of the applicable C5 criteria, the associated controls (part of the description), test procedures performed and the individual test results of the auditor. Section 3.4.8 ¶ 2 4.] | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement in the audit report that the agreed upon procedures were potentially insufficient in identifying material risks, as necessary. CC ID 13957 | Audits and risk management | Establish/Maintain Documentation | |
| Include all hypothetical assumptions in the audit report. CC ID 13947 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that access to the report is restricted based on least privilege in the audit report. CC ID 07023 [{independent audit report} The report on an attestation engagement includes the following elements: Intended users and purpose Section 3.4.8 ¶ 2 1 (g)] | Audits and risk management | Actionable Reports or Measurements | |
| Include a statement that the agreed upon procedures involves collecting evidence in the audit report. CC ID 13956 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that the agreed upon procedures were performed by all parties in the audit report. CC ID 13931 | Audits and risk management | Establish/Maintain Documentation | |
| Include references to subject matter experts in the audit report when citing qualified opinions. CC ID 13929 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of the assistance provided by Subject Matter Experts in the audit report. CC ID 13939 | Audits and risk management | Establish/Maintain Documentation | |
| Include a review of the subject matter expert's findings in the audit report. CC ID 13972 | Audits and risk management | Establish/Maintain Documentation | |
| Include all restrictions on the audit in the audit report. CC ID 13930 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that the auditor has no responsibility to update the audit report after its submission. CC ID 13943 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement on the auditor's ethical requirements in the audit report. CC ID 16767 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that the responsible party refused to provide a written assertion in the audit report. CC ID 13887 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that the examination involves procedures for collecting evidence in the audit report. CC ID 13941 | Audits and risk management | Establish/Maintain Documentation | |
| Express an adverse opinion in the audit report when significant assumptions are not suitably supported. CC ID 13944 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that modifications to historical evidence accurately reflect current evidence in the audit report. CC ID 13938 | Audits and risk management | Establish/Maintain Documentation | |
| Refrain from referencing previous engagements in the audit report. CC ID 16516 | Audits and risk management | Audits and Risk Management | |
| Refrain from referencing other auditor's work in the audit report. CC ID 13881 | Audits and risk management | Establish/Maintain Documentation | |
| Include how in scope controls meet external requirements in the audit report. CC ID 16450 | Audits and risk management | Establish/Maintain Documentation | |
| Include the in scope records used to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14915 | Audits and risk management | Establish/Maintain Documentation | |
| Include recommended corrective actions in the audit report. CC ID 16197 [Irrespective of the assessment as to whether a deviation leads to a qualified opinion, further information should be presented in the audit report. This information is intended to enable report recipients to assess whether the Cloud Service Provider is taking appropriate actions to handle errors and optimise its policies, procedures and actions. The following additional information from the Cloud Service Provider shall be included in the audit report: The measures to be taken to remedy the deviation in the future and when these measures are likely to be completed or effectively implemented. Section 3.4.7 ¶ 2 Bullet 3] | Audits and risk management | Establish/Maintain Documentation | |
| Include the cost of corrective action in the audit report. CC ID 17015 | Audits and risk management | Audits and Risk Management | |
| Include risks and opportunities in the audit report. CC ID 16196 | Audits and risk management | Establish/Maintain Documentation | |
| Include the description of tests of controls and results in the audit report. CC ID 14898 [In the case of a direct engagement, the auditor shall present the above-mentioned minimum content in all material aspects as part of the audit report so that the intended customers can obtain an appropriate understanding of the information security of the cloud service, including the principles, procedures and measures applied. This includes sufficient information on the general conditions of the cloud service (cf. Section 4). Section 3.4.4.1 ¶ 6 {audit criteria} The report on an attestation engagement includes the following elements: Presentation of the applicable C5 criteria, the associated controls (part of the description), test procedures performed and the individual test results of the auditor. Section 3.4.8 ¶ 2 4. {audit criteria} The report on an attestation engagement includes the following elements: Presentation of the applicable C5 criteria, the associated controls (part of the description), test procedures performed and the individual test results of the auditor. Section 3.4.8 ¶ 2 4. {audit criteria} The report on an attestation engagement includes the following elements: Presentation of the applicable C5 criteria, the associated controls (part of the description), test procedures performed and the individual test results of the auditor. Section 3.4.8 ¶ 2 4. In case of a direct engagement, the components 2 'Written statement' and 3 'Description' are omitted. Nevertheless, the minimum contents of the description mentioned in Section 3.4.4.1 shall be presented in all material respects in the audit report so that the intended customers can obtain an appropriate understanding of the information security of the cloud service, including the principles, procedures and measures applied. This includes sufficient information on the general conditions of the cloud service (cf. Section 4). Such information shall be provided in a separate section, e.g. "Description of the cloud service and the policies, procedures and measures applied by the Cloud Service Provider". Section 3.4.8 ¶ 3 An adjustment of the description may be waived if the descriptions of the auditor's test procedures clearly state how the elements of the C5 criteria not covered by the control description were audited. Such test procedures shall be marked in an appropriate form (e.g. "Further test procedure for assessing full coverage of the C5 criterion"). Section 3.4.6 ¶ 3] | Audits and risk management | Establish/Maintain Documentation | |
| Include the nature of the tests performed in the description of tests of controls and results in the audit report. CC ID 14908 [The test procedures performed shall be described for both suitability of design (type 1 report) and operating effectiveness (type 2 report) engagements. Section 3.4.8 ¶ 4 An adjustment of the description may be waived if the descriptions of the auditor's test procedures clearly state how the elements of the C5 criteria not covered by the control description were audited. Such test procedures shall be marked in an appropriate form (e.g. "Further test procedure for assessing full coverage of the C5 criterion"). Section 3.4.6 ¶ 3] | Audits and risk management | Establish/Maintain Documentation | |
| Include the test scope in the description of tests of controls and results in the audit report. CC ID 14906 | Audits and risk management | Establish/Maintain Documentation | |
| Identify the stakeholders interviewed to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14905 | Audits and risk management | Establish/Maintain Documentation | |
| Include the timing of controls in the description of tests of controls and results in the audit report. CC ID 16553 | Audits and risk management | Audits and Risk Management | |
| Include the controls that were tested in the description of tests of controls and results in the audit report. CC ID 14902 [{in scope system description} In the written statement, management of the Cloud Service Provider confirms that: where mandated (type 2 report), the controls stated in the description operated effectively throughout a specified period. Section 3.4.4.2 ¶ 1 Bullet 3] | Audits and risk management | Establish/Maintain Documentation | |
| Include subsequent events related to the audit assertion or audit subject matter in the audit report. CC ID 16773 | Audits and risk management | Establish/Maintain Documentation | |
| Include the organization's audit assertion of the in scope system in the audit report. CC ID 07005 [{in scope system description} In the written statement, management of the Cloud Service Provider confirms that: the description fairly presents the Cloud Service Provider's service-related system of internal control to meet the C5 criteria as at a specified date (type 1 report) or throughout a specified period (type 2 report) and includes the minimum content as set forth in Section 3.4.4.1 this criteria catalogue; Section 3.4.4.2 ¶ 1 Bullet 1 {responsible personnel} The report on an attestation engagement includes the following elements: Written statement by the Cloud Service Provider's management responsible for the cloud service(s). Section 3.4.8 ¶ 2 2. {independent audit report} The report on an attestation engagement includes the following elements: Cloud Service Provider's responsibility Section 3.4.8 ¶ 2 1 (b)] | Audits and risk management | Actionable Reports or Measurements | |
| Include that the organization is the responsible party for providing in scope services in the audit report. CC ID 14903 | Audits and risk management | Establish/Maintain Documentation | |
| Include the audit opinion regarding the accurateness of the in scope system description in the audit report. CC ID 07019 [{in scope system description} In the written statement, management of the Cloud Service Provider confirms that: the description fairly presents the Cloud Service Provider's service-related system of internal control to meet the C5 criteria as at a specified date (type 1 report) or throughout a specified period (type 2 report) and includes the minimum content as set forth in Section 3.4.4.1 this criteria catalogue; Section 3.4.4.2 ¶ 1 Bullet 1] | Audits and risk management | Establish/Maintain Documentation | |
| Include the attestation standards the auditor follows in the audit report. CC ID 07015 [{attestation engagement} The Cloud Service Provider shall select the method to be used at its own discretion and state it accordingly in the description (cf. Section 3.4.4.1 on Minimum Contents of the System Description). Section 3.4.5 ¶ 2 {independent audit report} {audit criteria} The report on an attestation engagement includes the following elements: Scope and C5 version Section 3.4.8 ¶ 2 1 (a)] | Audits and risk management | Establish/Maintain Documentation | |
| Include an emphasis-of-matter paragraph in the audit report. CC ID 14890 | Audits and risk management | Establish/Maintain Documentation | |
| Include the organization's in scope system description in the audit report. CC ID 11626 [In the case of a direct engagement, the auditor shall present the above-mentioned minimum content in all material aspects as part of the audit report so that the intended customers can obtain an appropriate understanding of the information security of the cloud service, including the principles, procedures and measures applied. This includes sufficient information on the general conditions of the cloud service (cf. Section 4). Section 3.4.4.1 ¶ 6 In case of a direct engagement, the components 2 'Written statement' and 3 'Description' are omitted. Nevertheless, the minimum contents of the description mentioned in Section 3.4.4.1 shall be presented in all material respects in the audit report so that the intended customers can obtain an appropriate understanding of the information security of the cloud service, including the principles, procedures and measures applied. This includes sufficient information on the general conditions of the cloud service (cf. Section 4). Such information shall be provided in a separate section, e.g. "Description of the cloud service and the policies, procedures and measures applied by the Cloud Service Provider". Section 3.4.8 ¶ 3 In case of a direct engagement, the components 2 'Written statement' and 3 'Description' are omitted. Nevertheless, the minimum contents of the description mentioned in Section 3.4.4.1 shall be presented in all material respects in the audit report so that the intended customers can obtain an appropriate understanding of the information security of the cloud service, including the principles, procedures and measures applied. This includes sufficient information on the general conditions of the cloud service (cf. Section 4). Such information shall be provided in a separate section, e.g. "Description of the cloud service and the policies, procedures and measures applied by the Cloud Service Provider". Section 3.4.8 ¶ 3] | Audits and risk management | Audits and Risk Management | |
| Include any out of scope components of in scope systems in the audit report. CC ID 07006 [The report on an attestation engagement includes the following elements: Optional: Other information provided by the Cloud Service Provider (this information is not subject of the audit, and, accordingly, the auditor does not express an opinion thereon). Section 3.4.8 ¶ 2 5.] | Audits and risk management | Establish/Maintain Documentation | |
| Include the scope and work performed in the audit report. CC ID 11621 [{independent audit report} {audit criteria} The report on an attestation engagement includes the following elements: Scope and C5 version Section 3.4.8 ¶ 2 1 (a)] | Audits and risk management | Audits and Risk Management | |
| Refrain from including the description of the audit in the audit report when the auditor is disclaiming an audit opinion. CC ID 13975 | Audits and risk management | Establish/Maintain Documentation | |
| Refrain from including scope limitations from changed attestation engagements in the audit report. CC ID 13983 | Audits and risk management | Establish/Maintain Documentation | |
| Refrain from including in the audit report any procedures that were performed that the auditor is disclaiming in an audit opinion. CC ID 13974 | Audits and risk management | Establish/Maintain Documentation | |
| Include the results of the business impact analysis in the audit report. CC ID 17208 | Audits and risk management | Establish/Maintain Documentation | |
| Include an audit opinion in the audit report. CC ID 07017 [{independent audit report} The report on an attestation engagement includes the following elements: Audit Opinion Section 3.4.8 ¶ 2 1 (f)] | Audits and risk management | Establish/Maintain Documentation | |
| Include qualified opinions in the audit report. CC ID 13928 [Deviation handling is regulated in the audit standards. In assessing whether applicable C5 criteria are not met due to identified deviations and whether the opinion needs to be qualified, the auditor must consider the following procedures: Inquiry of management of the Cloud Service Provider regarding their assessment of the cause of the identified deviation; Section 3.4.7 ¶ 1 Bullet 1 Deviation handling is regulated in the audit standards. In assessing whether applicable C5 criteria are not met due to identified deviations and whether the opinion needs to be qualified, the auditor must consider the following procedures: Assessment of the Cloud Service Provider's handling of the identified deviation; Section 3.4.7 ¶ 1 Bullet 2 Deviation handling is regulated in the audit standards. In assessing whether applicable C5 criteria are not met due to identified deviations and whether the opinion needs to be qualified, the auditor must consider the following procedures: Assessment whether comparable deviations have been identified by the Cloud Service Provider's monitoring processes and what measures have been taken as a result; and, Section 3.4.7 ¶ 1 Bullet 3 Deviation handling is regulated in the audit standards. In assessing whether applicable C5 criteria are not met due to identified deviations and whether the opinion needs to be qualified, the auditor must consider the following procedures: Assessment whether comparable deviations have been identified by the Cloud Service Provider's monitoring processes and what measures have been taken as a result; and, Section 3.4.7 ¶ 1 Bullet 3 Deviation handling is regulated in the audit standards. In assessing whether applicable C5 criteria are not met due to identified deviations and whether the opinion needs to be qualified, the auditor must consider the following procedures: Verification whether compensating controls are in place and effective to address the risks arising from the deviation in such a way that the C5 criterion is met with reasonable assurance. This concerns, for example, the assessment of alternative organisational and technical approaches of the Cloud Service Provider to meet the applicable C5 criteria, which have not been considered in the design of the criteria set out in this criteria catalogue. Section 3.4.7 ¶ 1 Bullet 4] | Audits and risk management | Establish/Maintain Documentation | |
| Include that the auditor did not express an opinion in the audit report, as necessary. CC ID 13886 | Audits and risk management | Establish/Maintain Documentation | |
| Include items that pertain to third parties in the audit report. CC ID 07008 [{independent audit report} {internal control system} The reports include the complementary subservice organisations that are required, together with the controls of the Cloud Service Provider, to meet the applicable basic criteria of BSI C5 with reasonable assurance. SSO-01 ¶ 3] | Audits and risk management | Establish/Maintain Documentation | |
| Refrain from including reference to procedures performed in previous attestation engagements in the audit report. CC ID 13970 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement in the audit report that no procedures were performed subsequent to the date of the practitioner's review report on pro forma financial information, as necessary. CC ID 13969 | Audits and risk management | Establish/Maintain Documentation | |
| Include the written signature of the auditor's organization in the audit report. CC ID 13897 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that additional reports are being submitted in the audit report. CC ID 16848 | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate the audit report to all interested personnel and affected parties identified in the distribution list. CC ID 07117 [If the specified period ends in a period which is up to three months before February 15, 2021, the Cloud Service Provider shall provide additional information in the system description regarding the necessary changes to its service-related internal control system which have not been completed. The details should include what measures are to be completed or effectively implemented. In the case of a direct engagement, the auditor shall obtain and disclose this information. Section 3.5 ¶ 5] | Audits and risk management | Establish/Maintain Documentation | |
| Define the roles and responsibilities for distributing the audit report. CC ID 16845 | Audits and risk management | Human Resources Management | |
| Disseminate and communicate the reasons the audit report was delayed to interested personnel and affected parties. CC ID 15257 | Audits and risk management | Communicate | |
| Notify auditees if disclosure of audit documentation is required by law. CC ID 15249 | Audits and risk management | Communicate | |
| Assess the quality of the audit program in regards to its documentation. CC ID 11622 | Audits and risk management | Audits and Risk Management | |
| Include the audit criteria in the audit plan. CC ID 15262 [The criteria in this criteria catalogue shall be applied for periods being assessed ending on or after February 15, 2021. Earlier application of these criteria is permitted. Section 3.5 ¶ 3] | Audits and risk management | Establish/Maintain Documentation | |
| Include a list of reference documents in the audit plan. CC ID 15260 | Audits and risk management | Establish/Maintain Documentation | |
| Include the languages to be used for the audit in the audit plan. CC ID 15252 | Audits and risk management | Establish/Maintain Documentation | |
| Include the allocation of resources in the audit plan. CC ID 15251 | Audits and risk management | Establish/Maintain Documentation | |
| Include communication protocols in the audit plan. CC ID 15247 | Audits and risk management | Establish/Maintain Documentation | |
| Include the level of audit sampling necessary to collect sufficient audit evidence in the audit plan. CC ID 15246 | Audits and risk management | Establish/Maintain Documentation | |
| Include meeting schedules in the audit plan. CC ID 15245 | Audits and risk management | Establish/Maintain Documentation | |
| Include the time frames for the audit in the audit plan. CC ID 15244 | Audits and risk management | Establish/Maintain Documentation | |
| Include the time frames for conducting the audit in the audit plan. CC ID 15243 | Audits and risk management | Establish/Maintain Documentation | |
| Include the locations to be audited in the audit plan. CC ID 15242 | Audits and risk management | Establish/Maintain Documentation | |
| Include the processes to be audited in the audit plan. CC ID 15241 | Audits and risk management | Establish/Maintain Documentation | |
| Include audit objectives in the audit plan. CC ID 15240 | Audits and risk management | Establish/Maintain Documentation | |
| Include the risks associated with audit activities in the audit plan. CC ID 15239 | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate the audit plan to interested personnel and affected parties. CC ID 15238 [Policies and instructions for planning and conducting audits are documented, communicated and made available in accordance with SP-01 and address the following aspects: COM-02 ¶ 1] | Audits and risk management | Communicate | |
| Establish, implement, and maintain a risk management program. CC ID 12051 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a risk management policy. CC ID 17192 [{annual basis} The Cloud Service Provider executes the process for handling risks as needed or at least once a year. The following aspects are taken into account when identifying risks, insofar as they are applicable to the cloud service provided and are within the area of responsibility of the Cloud Service Provider: OIS-07 ¶ 1] | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain the risk assessment framework. CC ID 00685 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a risk assessment program. CC ID 00687 [Identified vulnerabilities and deviations are subject to risk assessment in accordance with the risk management procedure (cf. OIS-06) and follow-up measures are defined and tracked (cf. OPS-18). COS-03 ¶ 3] | Audits and risk management | Establish/Maintain Documentation | |
| Include the information flow of restricted data in the risk assessment program. CC ID 12339 [{confidentiality} {authentication information} Deviations are evaluated by means of a risk analysis and mitigating measures derived from this are implemented. IDM-08 ¶ 2] | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain insurance requirements. CC ID 16562 | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate insurance options to interested personnel and affected parties. CC ID 16572 | Audits and risk management | Communicate | |
| Disseminate and communicate insurance requirements to interested personnel and affected parties. CC ID 16567 | Audits and risk management | Communicate | |
| Address cybersecurity risks in the risk assessment program. CC ID 13193 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain fundamental rights impact assessments. CC ID 17217 | Audits and risk management | Audits and Risk Management | |
| Include the categories of data used by the system in the fundamental rights impact assessment. CC ID 17248 | Audits and risk management | Establish/Maintain Documentation | |
| Include metrics in the fundamental rights impact assessment. CC ID 17249 | Audits and risk management | Establish/Maintain Documentation | |
| Include the benefits of the system in the fundamental rights impact assessment. CC ID 17244 | Audits and risk management | Establish/Maintain Documentation | |
| Include user safeguards in the fundamental rights impact assessment. CC ID 17255 | Audits and risk management | Establish/Maintain Documentation | |
| Include the outputs produced by the system in the fundamental rights impact assessment. CC ID 17247 | Audits and risk management | Establish/Maintain Documentation | |
| Include the purpose in the fundamental rights impact assessment. CC ID 17243 | Audits and risk management | Establish/Maintain Documentation | |
| Include monitoring procedures in the fundamental rights impact assessment. CC ID 17254 | Audits and risk management | Establish/Maintain Documentation | |
| Include risk management measures in the fundamental rights impact assessment. CC ID 17224 | Audits and risk management | Establish/Maintain Documentation | |
| Include human oversight measures in the fundamental rights impact assessment. CC ID 17223 | Audits and risk management | Establish/Maintain Documentation | |
| Include risks in the fundamental rights impact assessment. CC ID 17222 | Audits and risk management | Establish/Maintain Documentation | |
| Include affected parties in the fundamental rights impact assessment. CC ID 17221 | Audits and risk management | Establish/Maintain Documentation | |
| Include the frequency in the fundamental rights impact assessment. CC ID 17220 | Audits and risk management | Establish/Maintain Documentation | |
| Include the usage duration in the fundamental rights impact assessment. CC ID 17219 | Audits and risk management | Establish/Maintain Documentation | |
| Include system use in the fundamental rights impact assessment. CC ID 17218 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830 | Audits and risk management | Process or Activity | |
| Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371 | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313 | Audits and risk management | Communicate | |
| Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a risk assessment policy. CC ID 14026 | Audits and risk management | Establish/Maintain Documentation | |
| Include compliance requirements in the risk assessment policy. CC ID 14121 | Audits and risk management | Establish/Maintain Documentation | |
| Include coordination amongst entities in the risk assessment policy. CC ID 14120 | Audits and risk management | Establish/Maintain Documentation | |
| Include management commitment in the risk assessment policy. CC ID 14119 | Audits and risk management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the risk assessment policy. CC ID 14118 | Audits and risk management | Establish/Maintain Documentation | |
| Include the scope in the risk assessment policy. CC ID 14117 | Audits and risk management | Establish/Maintain Documentation | |
| Include the purpose in the risk assessment policy. CC ID 14116 | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate the risk assessment policy to interested personnel and affected parties. CC ID 14115 | Audits and risk management | Communicate | |
| Establish, implement, and maintain risk assessment procedures. CC ID 06446 [{annual basis} The analysis, evaluation and treatment of risks, including the approval of actions and acceptance of residual risks, is reviewed for adequacy at least annually by the risk owners. OIS-07 ¶ 2 {vulnerabilities} {assets} The online register is easily accessible to any cloud customer. The information contained therein forms a suitable basis for risk assessment and possible follow-up measures on the part of cloud users. PSS-03 ¶ 3] | Audits and risk management | Establish/Maintain Documentation | |
| Analyze the organization's information security environment. CC ID 13122 | Audits and risk management | Technical Security | |
| Employ risk assessment procedures that take into account information classification. CC ID 06477 [The Cloud Service Provider executes the process for handling risks as needed or at least once a year. The following aspects are taken into account when identifying risks, insofar as they are applicable to the cloud service provided and are within the area of responsibility of the Cloud Service Provider: Processing, storage or transmission of data of cloud customers with different protection needs; OIS-07 ¶ 1 Bullet 1] | Audits and risk management | Establish/Maintain Documentation | |
| Engage appropriate parties to assist with risk assessments, as necessary. CC ID 12153 | Audits and risk management | Human Resources Management | |
| Employ risk assessment procedures that take into account the target environment. CC ID 06479 [The Cloud Service Provider executes the process for handling risks as needed or at least once a year. The following aspects are taken into account when identifying risks, insofar as they are applicable to the cloud service provided and are within the area of responsibility of the Cloud Service Provider: Occurrence of vulnerabilities and malfunctions in technical protective measures for separating shared resources; OIS-07 ¶ 1 Bullet 2] | Audits and risk management | Establish/Maintain Documentation | |
| Employ risk assessment procedures that take into account risk factors. CC ID 16560 [The risk assessment covers the following areas, insofar as these are applicable to the provision of the Cloud Service and are in the area of responsibility of the Cloud Service Provider: Administration of rights profiles, approval and assignment of access and access authorisations (cf. IDM-01); OIS-04 ¶ 2 Bullet 1 The cloud customer is informed by the Cloud Service Provider whenever internal or external employees of the Cloud Service Provider read or write to the cloud customer's data processed, stored or transmitted in the cloud service or have accessed it without the prior consent of the cloud customer. The Information is provided whenever data of the cloud customer is/was not encrypted, the encryption is/was disabled for access or the contractual agreements do not explicitly exclude such information. The information contains the cause, time, duration, type and scope of the access. The information is sufficiently detailed to enable subject matter experts of the cloud customer to assess the risks of the access. The information is provided in accordance with the contractual agreements, or within 72 hours after the access. IDM-07 ¶ 1] | Audits and risk management | Audits and Risk Management | |
| Include security threats and vulnerabilities in the threat and risk classification scheme. CC ID 00699 [The Cloud Service Provider leverages relevant authorities and interest groups in order to stay informed about current threats and vulnerabilities. The information flows into the procedures for handling risks (cf. OIS-06) and vulnerabilities (cf. OPS-19). OIS-05 ¶ 1] | Audits and risk management | Technical Security | |
| Include risks to critical personnel and assets in the threat and risk classification scheme. CC ID 00698 [Policies and instructions for risk management procedures are documented, communicated and provided in accordance with SP-01 for the following aspects: Identification of risks associated with the loss of confidentiality, integrity, availability and authenticity of information within the scope of the ISMS and assigning risk owners; OIS-06 ¶ 1 Bullet 1 The risk assessment includes the identification, analysis, evaluation, handling and documentation of risks with regard to the following aspects: SSO-02 ¶ 2] | Audits and risk management | Audits and Risk Management | |
| Assign a probability of occurrence to all types of threats in the threat and risk classification scheme. CC ID 01173 [Policies and instructions for risk management procedures are documented, communicated and provided in accordance with SP-01 for the following aspects: Analysis of the probability and impact of occurrence and determination of the level of risk; OIS-06 ¶ 1 Bullet 2] | Audits and risk management | Audits and Risk Management | |
| Approve the threat and risk classification scheme. CC ID 15693 | Audits and risk management | Business Processes | |
| Disseminate and communicate the risk assessment procedures to interested personnel and affected parties. CC ID 14136 | Audits and risk management | Communicate | |
| Perform risk assessments for all target environments, as necessary. CC ID 06452 [The Cloud Service Provider executes the process for handling risks as needed or at least once a year. The following aspects are taken into account when identifying risks, insofar as they are applicable to the cloud service provided and are within the area of responsibility of the Cloud Service Provider: Attacks via access points, including interfaces accessible from public networks; OIS-07 ¶ 1 Bullet 3 The risk assessment covers the following areas, insofar as these are applicable to the provision of the Cloud Service and are in the area of responsibility of the Cloud Service Provider: Operation of the system components. OIS-04 ¶ 2 Bullet 3 The risk assessment includes the identification, analysis, evaluation, handling and documentation of risks with regard to the following aspects: SSO-02 ¶ 2] | Audits and risk management | Testing | |
| Include the probability and potential impact of pandemics in the scope of the risk assessment. CC ID 13241 | Audits and risk management | Establish/Maintain Documentation | |
| Include physical assets in the scope of the risk assessment. CC ID 13075 [Security requirements for premises and buildings related to the cloud service provided, are based on the security objectives of the information security policy, identified protection requirements for the cloud service and the assessment of risks to physical and environmental security. The security requirements are documented, communicated and provided in a policy or concept according to SP-01. PS-01 ¶ 1] | Audits and risk management | Establish/Maintain Documentation | |
| Document any reasons for modifying or refraining from modifying the organization's risk assessment when the risk assessment has been reviewed. CC ID 13312 | Audits and risk management | Establish/Maintain Documentation | |
| Create a risk assessment report based on the risk assessment results. CC ID 15695 | Audits and risk management | Establish/Maintain Documentation | |
| Notify the organization upon completion of the external audits of the organization's risk assessment. CC ID 13313 | Audits and risk management | Communicate | |
| Correlate the business impact of identified risks in the risk assessment report. CC ID 00686 [Policies and instructions to determine the impact of any malfunction to the cloud service or enterprise are documented, communicated and made available in accordance with SP-01. The following aspects are considered as minimum: Possible scenarios based on a risk analysis; BCM-02 ¶ 1 Bullet 1] | Audits and risk management | Audits and Risk Management | |
| Include recovery of the critical path in the Business Impact Analysis. CC ID 13224 | Audits and risk management | Establish/Maintain Documentation | |
| Include acceptable levels of data loss in the Business Impact Analysis. CC ID 13264 | Audits and risk management | Establish/Maintain Documentation | |
| Include Recovery Point Objectives in the Business Impact Analysis. CC ID 13223 [Policies and instructions to determine the impact of any malfunction to the cloud service or enterprise are documented, communicated and made available in accordance with SP-01. The following aspects are considered as minimum: Determination of time targets for the maximum reasonable period during which data can be lost and not recovered (RPO); and BCM-02 ¶ 1 Bullet 9] | Audits and risk management | Establish/Maintain Documentation | |
| Include the Recovery Time Objectives in the Business Impact Analysis. CC ID 13222 [Policies and instructions to determine the impact of any malfunction to the cloud service or enterprise are documented, communicated and made available in accordance with SP-01. The following aspects are considered as minimum: Determination of time targets for the resumption of critical products and services within the maximum acceptable time period (RTO); BCM-02 ¶ 1 Bullet 8] | Audits and risk management | Establish/Maintain Documentation | |
| Include pandemic risks in the Business Impact Analysis. CC ID 13219 | Audits and risk management | Establish/Maintain Documentation | |
| Include tolerance to downtime in the Business Impact Analysis report. CC ID 01172 [The risk assessment includes the identification, analysis, evaluation, handling and documentation of risks with regard to the following aspects: Impact of a protection breach on the provision of the cloud service; SSO-02 ¶ 2 Bullet 2] | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate the Business Impact Analysis to interested personnel and affected parties. CC ID 15300 | Audits and risk management | Communicate | |
| Establish, implement, and maintain a risk register. CC ID 14828 | Audits and risk management | Establish/Maintain Documentation | |
| Review the Business Impact Analysis, as necessary. CC ID 12774 [The business impact analysis, business continuity plans and contingency plans are reviewed, updated and tested on a regular basis (at least annually) or after significant organisational or environmental changes. Tests involve affected customers (tenants) and relevant third parties. The tests are documented and results are taken into account for future operational continuity measures. BCM-04 ¶ 1] | Audits and risk management | Business Processes | |
| Analyze and quantify the risks to in scope systems and information. CC ID 00701 [Policies and instructions for risk management procedures are documented, communicated and provided in accordance with SP-01 for the following aspects: Analysis of the probability and impact of occurrence and determination of the level of risk; OIS-06 ¶ 1 Bullet 2 System components in the Cloud Service Provider's area of responsibility that are used to provide the cloud service, authenticate users of the Cloud Service Provider's internal and external employees as well as system components that are involved in the Cloud Service Provider's automated authorisation processes. Access to the production environment requires two-factor or multi-factor authentication. Within the production environment, user authentication takes place through passwords, digitally signed certificates or procedures that achieve at least an equivalent level of security. If digitally signed certificates are used, administration is carried out in accordance with the Guideline for Key Management (cf. CRY-01). The password requirements are derived from a risk assessment and documented, communicated and provided in a password policy according to SP-01. Compliance with the requirements is enforced by the configuration of the system components, as far as technically possible. IDM-09 ¶ 1 The risk assessment includes the identification, analysis, evaluation, handling and documentation of risks with regard to the following aspects: SSO-02 ¶ 2] | Audits and risk management | Audits and Risk Management | |
| Establish and maintain a Risk Scoping and Measurement Definitions Document. CC ID 00703 [The risk assessment includes the identification, analysis, evaluation, handling and documentation of risks with regard to the following aspects: SSO-02 ¶ 2] | Audits and risk management | Audits and Risk Management | |
| Establish a risk acceptance level that is appropriate to the organization's risk appetite. CC ID 00706 [Policies and instructions for risk management procedures are documented, communicated and provided in accordance with SP-01 for the following aspects: Evaluation of the risk analysis based on defined criteria for risk acceptance and prioritisation of handling; OIS-06 ¶ 1 Bullet 3] | Audits and risk management | Establish/Maintain Documentation | |
| Select the appropriate risk treatment option for each identified risk in the risk register. CC ID 06483 [The risk assessment includes the identification, analysis, evaluation, handling and documentation of risks with regard to the following aspects: SSO-02 ¶ 2] | Audits and risk management | Establish/Maintain Documentation | |
| Approve the risk acceptance level, as necessary. CC ID 17168 | Audits and risk management | Process or Activity | |
| Disseminate and communicate the risk acceptance level in the risk treatment plan to all interested personnel and affected parties. CC ID 06849 [Policies and instructions for risk management procedures are documented, communicated and provided in accordance with SP-01 for the following aspects: Handling of risks through measures, including approval of authorisation and acceptance of residual risks by risk owners; and OIS-06 ¶ 1 Bullet 4] | Audits and risk management | Behavior | |
| Prioritize and select controls based on the risk assessment findings. CC ID 00707 [Policies and instructions for risk management procedures are documented, communicated and provided in accordance with SP-01 for the following aspects: Evaluation of the risk analysis based on defined criteria for risk acceptance and prioritisation of handling; OIS-06 ¶ 1 Bullet 3] | Audits and risk management | Audits and Risk Management | |
| Establish, implement, and maintain a risk treatment plan. CC ID 11983 [{annual basis} The analysis, evaluation and treatment of risks, including the approval of actions and acceptance of residual risks, is reviewed for adequacy at least annually by the risk owners. OIS-07 ¶ 2 {annual basis} The analysis, evaluation and treatment of risks, including the approval of actions and acceptance of residual risks, is reviewed for adequacy at least annually by the risk owners. OIS-07 ¶ 2 Identified vulnerabilities and deviations are subject to risk assessment in accordance with the risk management procedure (cf. OIS-06) and follow-up measures are defined and tracked (cf. OPS-18). COS-03 ¶ 3] | Audits and risk management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the risk treatment plan. CC ID 16991 | Audits and risk management | Establish/Maintain Documentation | |
| Include time information in the risk treatment plan. CC ID 16993 | Audits and risk management | Establish/Maintain Documentation | |
| Include allocation of resources in the risk treatment plan. CC ID 16989 | Audits and risk management | Establish/Maintain Documentation | |
| Include the date of the risk assessment in the risk treatment plan. CC ID 16321 | Audits and risk management | Establish/Maintain Documentation | |
| Include the release status of the risk assessment in the risk treatment plan. CC ID 16320 | Audits and risk management | Audits and Risk Management | |
| Include requirements for monitoring and reporting in the risk treatment plan, as necessary. CC ID 13620 | Audits and risk management | Establish/Maintain Documentation | |
| Document all constraints applied to the risk treatment plan, as necessary. CC ID 13619 | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate the risk treatment plan to interested personnel and affected parties. CC ID 15694 [Policies and instructions for risk management procedures are documented, communicated and provided in accordance with SP-01 for the following aspects: Handling of risks through measures, including approval of authorisation and acceptance of residual risks by risk owners; and OIS-06 ¶ 1 Bullet 4] | Audits and risk management | Communicate | |
| Review and approve material risks documented in the residual risk report, as necessary. CC ID 13672 [{annual basis} The analysis, evaluation and treatment of risks, including the approval of actions and acceptance of residual risks, is reviewed for adequacy at least annually by the risk owners. OIS-07 ¶ 2] | Audits and risk management | Business Processes | |
| Establish, implement, and maintain a supply chain risk management plan. CC ID 14713 [The Cloud Service Provider executes the process for handling risks as needed or at least once a year. The following aspects are taken into account when identifying risks, insofar as they are applicable to the cloud service provided and are within the area of responsibility of the Cloud Service Provider: Dependencies on subservice organisations. OIS-07 ¶ 1 Bullet 5] | Audits and risk management | Establish/Maintain Documentation | |
| Include processes for monitoring and reporting in the supply chain risk management plan. CC ID 15619 | Audits and risk management | Establish/Maintain Documentation | |
| Include dates in the supply chain risk management plan. CC ID 15617 | Audits and risk management | Establish/Maintain Documentation | |
| Include implementation milestones in the supply chain risk management plan. CC ID 15615 | Audits and risk management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the supply chain risk management plan. CC ID 15613 | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate the risk management policy to interested personnel and affected parties. CC ID 13792 [Policies and instructions for risk management procedures are documented, communicated and provided in accordance with SP-01 for the following aspects: OIS-06 ¶ 1 Policies and instructions for risk management procedures are documented, communicated and provided in accordance with SP-01 for the following aspects: Documentation of the activities implemented to enable consistent, valid and comparable results. OIS-06 ¶ 1 Bullet 5] | Audits and risk management | Communicate | |
| Establish, implement, and maintain a disclosure report. CC ID 15521 | Audits and risk management | Establish/Maintain Documentation | |
| Include metrics in the disclosure report. CC ID 15916 | Audits and risk management | Establish/Maintain Documentation | |
| Include operational metrics in the disclosure report. CC ID 15939 | Audits and risk management | Establish/Maintain Documentation | |
| Include incident management metrics in the disclosure report. CC ID 15926 | Audits and risk management | Establish/Maintain Documentation | |
| Include the total user downtime in the disclosure report. CC ID 15635 [The cloud provider provides subject matter experts of cloud customers with comprehensible and transparent information on the availability of the data centres used to provide the cloud service (including data centres operated by subcontractors), as needed. The information shows availability and downtime over one year according to industry standard classification schemes. The information enables cloud customers to assess the cloud service as part of their business impact analysis. BC-04 ¶ 1] | Audits and risk management | Actionable Reports or Measurements | |
| Establish, implement, and maintain an access classification scheme. CC ID 00509 [{access classification scheme} {access rights management plan} A role and rights concept based on the business and security requirements of the Cloud Service Provider as well as a policy for managing user accounts and access rights for internal and external employees of the Cloud Service Provider and system components that have a role in automated authorisation processes of the Cloud Service Provider are documented, communicated and made available according to SP-01: IDM-01 ¶ 1] | Technical security | Establish/Maintain Documentation | |
| Interpret and apply security requirements based upon the information classification of the system. CC ID 00003 [Ensure the protection of information in networks and the corresponding information processing systems Section 5.9 Objective Policies and instructions with technical and organisational safeguards in order to protect the transmission of data against unauthorised interception, manipulation, copying, modification, redirection or destruction are documented, communicated and provided according to SP-01. The policies and instructions establish a reference to the classification of information (cf. AM-06). COS-08 ¶ 1] | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain security classifications for organizational assets. CC ID 00005 [Assets are classified and, if possible, labelled. Classification and labelling of an asset reflect the protection needs of the information it processes, stores, or transmits. AM-06 ¶ 1] | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain a digital identity management program. CC ID 13713 | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain digital identification procedures. CC ID 13714 | Technical security | Establish/Maintain Documentation | |
| Implement digital identification processes. CC ID 13731 | Technical security | Process or Activity | |
| Implement identity proofing processes. CC ID 13719 | Technical security | Process or Activity | |
| Establish, implement, and maintain an access control program. CC ID 11702 [Access controls are supported by an access control system. PS-04 ¶ 2] | Technical security | Establish/Maintain Documentation | |
| Include instructions to change authenticators as often as necessary in the access control program. CC ID 11931 [If passwords are used as authentication information for the cloud service, their confidentiality is ensured by the following procedures: The user is informed about changing or resetting the password. PSS-07 ¶ 1 Bullet 3] | Technical security | Establish/Maintain Documentation | |
| Include guidance on selecting authentication credentials in the access control program. CC ID 11928 [The allocation of authentication information to access system components used to provide the cloud service to internal and external users of the cloud provider and system components that are involved in automated authorisation processes of the cloud provider is done in an orderly manner that ensures the confidentiality of the information. If passwords are used as authentication information, their confidentiality is ensured by the following procedures, as far as technically possible: Users can initially create the password themselves or must change an initial password when logging on to the system component for the first time. An initial password loses its validity after a maximum of 14 days. IDM-08 ¶ 1 Bullet 1 If passwords are used as authentication information for the cloud service, their confidentiality is ensured by the following procedures: Users can initially create the password themselves or must change an initial password when logging in to the cloud service for the first time. An initial password loses its validity after a maximum of 14 days. PSS-07 ¶ 1 Bullet 1] | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain access control policies. CC ID 00512 | Technical security | Establish/Maintain Documentation | |
| Include compliance requirements in the access control policy. CC ID 14006 | Technical security | Establish/Maintain Documentation | |
| Include coordination amongst entities in the access control policy. CC ID 14005 | Technical security | Establish/Maintain Documentation | |
| Include management commitment in the access control policy. CC ID 14004 | Technical security | Establish/Maintain Documentation | |
| Include roles and responsibilities in the access control policy. CC ID 14003 [Access rights of internal and external employees of the Cloud Service Provider as well as of system components that play a role in automated authorisation processes of the Cloud Service Provider are reviewed at least once a year to ensure that they still correspond to the actual area of use. The review is carried out by authorised persons from the Cloud Service Provider's organisational units, who can assess the appropriateness of the assigned access rights based on their knowledge of the task areas of the employees or system components. Identified deviations will be dealt with promptly, but no later than 7 days after their detection, by appropriate modification or withdrawal of the access rights. IDM-05 ¶ 1] | Technical security | Establish/Maintain Documentation | |
| Include the scope in the access control policy. CC ID 14002 | Technical security | Establish/Maintain Documentation | |
| Include the purpose in the access control policy. CC ID 14001 | Technical security | Establish/Maintain Documentation | |
| Document the business need justification for user accounts. CC ID 15490 | Technical security | Establish/Maintain Documentation | |
| Disseminate and communicate the access control policies to all interested personnel and affected parties. CC ID 10061 [{access classification scheme} {access rights management plan} A role and rights concept based on the business and security requirements of the Cloud Service Provider as well as a policy for managing user accounts and access rights for internal and external employees of the Cloud Service Provider and system components that have a role in automated authorisation processes of the Cloud Service Provider are documented, communicated and made available according to SP-01: IDM-01 ¶ 1 {access classification scheme} {access rights management plan} A role and rights concept based on the business and security requirements of the Cloud Service Provider as well as a policy for managing user accounts and access rights for internal and external employees of the Cloud Service Provider and system components that have a role in automated authorisation processes of the Cloud Service Provider are documented, communicated and made available according to SP-01: IDM-01 ¶ 1] | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain an access rights management plan. CC ID 00513 [{access classification scheme} {access rights management plan} A role and rights concept based on the business and security requirements of the Cloud Service Provider as well as a policy for managing user accounts and access rights for internal and external employees of the Cloud Service Provider and system components that have a role in automated authorisation processes of the Cloud Service Provider are documented, communicated and made available according to SP-01: IDM-01 ¶ 1 {access roles} {access rights} The type and scope of the information provided will be based on the needs of subject matter experts of the cloud customers who set information security requirements, implement them or verify the implementation (e.g. IT, Compliance, Internal Audit). The information in the guidelines and recommendations for the secure use of the cloud service address the following aspects, where applicable to the cloud service: Roles and rights concept including combinations that result in an elevated risk; and PSS-01 ¶ 2 Bullet 5 {access rights management plan} The Cloud Service Provider provides cloud users with a roles and rights concept for managing access rights. It describes rights profiles for the functions provided by the cloud service. PSS-08 ¶ 1] | Technical security | Establish/Maintain Documentation | |
| Implement safeguards to protect access credentials from unauthorized access. CC ID 16433 | Technical security | Technical Security | |
| Inventory all user accounts. CC ID 13732 | Technical security | Establish/Maintain Documentation | |
| Establish and maintain contact information for user accounts, as necessary. CC ID 15418 | Technical security | Data and Information Management | |
| Control access rights to organizational assets. CC ID 00004 | Technical security | Technical Security | |
| Configure access control lists in accordance with organizational standards. CC ID 16465 | Technical security | Configuration | |
| Define access needs for each role assigned to an information system. CC ID 12455 [{access rights management plan} The Cloud Service Provider provides cloud users with a roles and rights concept for managing access rights. It describes rights profiles for the functions provided by the cloud service. PSS-08 ¶ 1] | Technical security | Human Resources Management | |
| Establish access rights based on least privilege. CC ID 01411 [A role and rights concept based on the business and security requirements of the Cloud Service Provider as well as a policy for managing user accounts and access rights for internal and external employees of the Cloud Service Provider and system components that have a role in automated authorisation processes of the Cloud Service Provider are documented, communicated and made available according to SP-01: Granting and modifying user accounts and access rights based on the "least-privilege-principle" and the "need-to-know" principle; IDM-01 ¶ 1 Bullet 2 Privileged access rights are personalised, limited in time according to a risk assessment and assigned as necessary for the execution of tasks ("need-to-know principle"). Technical users are assigned to internal or external employees of the Cloud Service Provider. IDM-06 ¶ 2] | Technical security | Technical Security | |
| Assign user permissions based on job responsibilities. CC ID 00538 [Privileged access rights are personalised, limited in time according to a risk assessment and assigned as necessary for the execution of tasks ("need-to-know principle"). Technical users are assigned to internal or external employees of the Cloud Service Provider. IDM-06 ¶ 2] | Technical security | Technical Security | |
| Separate processing domains to segregate user privileges and enhance information flow control. CC ID 06767 [Data traffic of cloud customers in jointly used network environments is segregated on network level according to a documented concept to ensure the confidentiality and integrity of the data transmitted. COS-06 ¶ 1] | Technical security | Configuration | |
| Establish, implement, and maintain lockout procedures or lockout mechanisms to be triggered after a predetermined number of consecutive logon attempts. CC ID 01412 | Technical security | Technical Security | |
| Configure the lockout procedure to disregard failed logon attempts after the user is authenticated. CC ID 13822 | Technical security | Configuration | |
| Notify appropriate parties when the maximum number of unsuccessful logon attempts is exceeded. CC ID 17164 | Technical security | Communicate | |
| Disallow unlocking user accounts absent system administrator approval. CC ID 01413 [User accounts of internal and external employees of the Cloud Service Provider as well as for system components involved in automated authorisation processes of the Cloud Service Provider are automatically locked if they have not been used for a period of two months. Approval from authorised personnel or system components are required to unlock these accounts. IDM-03 ¶ 1] | Technical security | Technical Security | |
| Establish session authenticity through Transport Layer Security. CC ID 01627 [{be inactive} To protect confidentiality, availability, integrity and authenticity during interactions with the cloud service, a suitable session management system is used that at least corresponds to the state- of-the-art and is protected against known attacks. Mechanisms are implemented that invalidate a session after it has been detected as inactive. The inactivity can be detected by time measurement. In this case, the time interval can be configured by the Cloud Service Provider or – if technically possible – by the cloud customer. PSS-06 ¶ 1 {be inactive} To protect confidentiality, availability, integrity and authenticity during interactions with the cloud service, a suitable session management system is used that at least corresponds to the state- of-the-art and is protected against known attacks. Mechanisms are implemented that invalidate a session after it has been detected as inactive. The inactivity can be detected by time measurement. In this case, the time interval can be configured by the Cloud Service Provider or – if technically possible – by the cloud customer. PSS-06 ¶ 1] | Technical security | Technical Security | |
| Configure the "tlsverify" argument to organizational standards. CC ID 14460 | Technical security | Configuration | |
| Configure the "tlscacert" argument to organizational standards. CC ID 14521 | Technical security | Configuration | |
| Configure the "tlscert" argument to organizational standards. CC ID 14520 | Technical security | Configuration | |
| Configure the "tlskey" argument to organizational standards. CC ID 14519 | Technical security | Configuration | |
| Enable access control for objects and users on each system. CC ID 04553 [Access to system components for logging and monitoring in the Cloud Service Provider's area of responsibility is restricted to authorised users. Changes to the configuration are made in accordance with the applicable policies (cf. DEV-03). OPS-16 ¶ 1 The Cloud Service Provider offers cloud customers a self-service with which they can independently assign and change user accounts and access rights. IDM-02 ¶ 2 Access to the functions provided by the cloud service is restricted by access controls (authorisation mechanisms) that verify whether users, IT components, or applications are authorised to perform certain actions. PSS-09 ¶ 1 {attribute-based access control} Access controls are attribute-based to enable granular and contextual checks against multiple attributes of a user, IT component, or application (e.g., role, location, authentication method). PSS-09 ¶ 3 If cloud customers operate virtual machines or containers with the cloud service, the Cloud Service Provider must ensure the following aspects: The cloud customer can restrict the selection of images of virtual machines or containers according to his specifications, so that users of this cloud customer can only launch the images or containers released according to these restrictions. PSS-11 ¶ 1 Bullet 1] | Technical security | Configuration | |
| Enable attribute-based access control for objects and users on information systems. CC ID 16351 | Technical security | Technical Security | |
| Enforce access restrictions for change control. CC ID 01428 [{access rights management plan} System components and tools for source code management and software deployment that are used to make changes to system components of the cloud service in the production environment are subject to a role and rights concept according to IDM-01 and authorisation mechanisms. They must be configured in such a way that all changes are logged and can therefore be traced back to the individuals or system components executing them. DEV-07 ¶ 1] | Technical security | Technical Security | |
| Establish, implement, and maintain a system use agreement for each information system. CC ID 06500 [{maintain} {confidentiality} The users sign a declaration in which they assure that they treat personal (or shared) authentication information confidentially and keep it exclusively for themselves (within the members of the group). IDM-08 ¶ 3] | Technical security | Establish/Maintain Documentation | |
| Establish and maintain a list of individuals authorized to perform privileged functions. CC ID 17005 | Technical security | Establish/Maintain Documentation | |
| Review all user privileges, as necessary. CC ID 06784 [A role and rights concept based on the business and security requirements of the Cloud Service Provider as well as a policy for managing user accounts and access rights for internal and external employees of the Cloud Service Provider and system components that have a role in automated authorisation processes of the Cloud Service Provider are documented, communicated and made available according to SP-01: Regular review of assigned user accounts and access rights; IDM-01 ¶ 1 Bullet 6 Privileged access rights are reviewed at least every six months. IDM-05 ¶ 2 Access rights of internal and external employees of the Cloud Service Provider as well as of system components that play a role in automated authorisation processes of the Cloud Service Provider are reviewed at least once a year to ensure that they still correspond to the actual area of use. The review is carried out by authorised persons from the Cloud Service Provider's organisational units, who can assess the appropriateness of the assigned access rights based on their knowledge of the task areas of the employees or system components. Identified deviations will be dealt with promptly, but no later than 7 days after their detection, by appropriate modification or withdrawal of the access rights. IDM-05 ¶ 1] | Technical security | Technical Security | |
| Establish, implement, and maintain User Access Management procedures. CC ID 00514 [{least privilege} The requirements for the access control system are documented, communicated and provided in a policy or concept in accordance with SP-01 and include the following aspects: Specified procedure for the granting and revoking of access authorisations (cf. IDM-02) based on the principle of least authorisation ("least-privilege-principle") and as necessary for the performance of tasks ("need-to-know- principle"); PS-04 ¶ 3 Bullet 1] | Technical security | Technical Security | |
| Control the addition and modification of user identifiers, user credentials, or other authenticators. CC ID 00515 [Access rights are promptly revoked if the job responsibilities of the Cloud Service Provider's internal or external staff or the tasks of system components involved in the Cloud Service Provider's automated authorisation processes change. Privileged access rights are adjusted or revoked within 48 hours after the change taking effect. All other access rights are adjusted or revoked within 14 days. After revocation, the procedure for granting user accounts and access rights (cf. IDM-02) must be repeated. IDM-04 ¶ 1 Privileged access rights for internal and external employees as well as technical users of the Cloud Service Provider are assigned and changed in accordance to the policy for managing user accounts and access rights (cf. IDM-01) or a separate specific policy. IDM-06 ¶ 1 {security-related information} The information is detailed enough to allow cloud users to check the following aspects, insofar as they are applicable to the cloud service: Changes to security-relevant configuration parameters, error handling and logging mechanisms, user authentication, action authorisation, cryptography, and communication security. PSS-04 ¶ 2 Bullet 3] | Technical security | Technical Security | |
| Refrain from storing logon credentials for third party applications. CC ID 13690 | Technical security | Technical Security | |
| Establish, implement, and maintain a password policy. CC ID 16346 [System components in the Cloud Service Provider's area of responsibility that are used to provide the cloud service, authenticate users of the Cloud Service Provider's internal and external employees as well as system components that are involved in the Cloud Service Provider's automated authorisation processes. Access to the production environment requires two-factor or multi-factor authentication. Within the production environment, user authentication takes place through passwords, digitally signed certificates or procedures that achieve at least an equivalent level of security. If digitally signed certificates are used, administration is carried out in accordance with the Guideline for Key Management (cf. CRY-01). The password requirements are derived from a risk assessment and documented, communicated and provided in a password policy according to SP-01. Compliance with the requirements is enforced by the configuration of the system components, as far as technically possible. IDM-09 ¶ 1] | Technical security | Establish/Maintain Documentation | |
| Enforce the password policy. CC ID 16347 | Technical security | Technical Security | |
| Disseminate and communicate the password policies and password procedures to all users who have access to restricted data or restricted information. CC ID 00518 | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain user accounts in accordance with the organizational Governance, Risk, and Compliance framework. CC ID 00526 [Locked user accounts are automatically revoked after six months. After revocation, the procedure for granting user accounts and access rights (cf. IDM-02) must be repeated. IDM-03 ¶ 2] | Technical security | Technical Security | |
| Maintain a log of the overrides of the biometric system. CC ID 17000 | Technical security | Log Management | |
| Establish, implement, and maintain biometric collection procedures. CC ID 15419 | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain access control procedures. CC ID 11663 | Technical security | Establish/Maintain Documentation | |
| Document approving and granting access in the access control log. CC ID 06786 [A role and rights concept based on the business and security requirements of the Cloud Service Provider as well as a policy for managing user accounts and access rights for internal and external employees of the Cloud Service Provider and system components that have a role in automated authorisation processes of the Cloud Service Provider are documented, communicated and made available according to SP-01: Approval by authorised individual(s) or system(s) for granting or modifying user accounts and access rights before data of the cloud customer or system components used to provision the cloud service can be accessed; IDM-01 ¶ 1 Bullet 5 A role and rights concept based on the business and security requirements of the Cloud Service Provider as well as a policy for managing user accounts and access rights for internal and external employees of the Cloud Service Provider and system components that have a role in automated authorisation processes of the Cloud Service Provider are documented, communicated and made available according to SP-01: Requirements for the approval and documentation of the management of user accounts and access rights. IDM-01 ¶ 1 Bullet 10] | Technical security | Establish/Maintain Documentation | |
| Disseminate and communicate the access control log to interested personnel and affected parties. CC ID 16442 | Technical security | Communicate | |
| Include the user identifiers of all personnel who are authorized to access a system in the system record. CC ID 15171 | Technical security | Establish/Maintain Documentation | |
| Include identity information of all personnel who are authorized to access a system in the system record. CC ID 16406 | Technical security | Establish/Maintain Documentation | |
| Include the user's location in the system record. CC ID 16996 | Technical security | Log Management | |
| Include the date and time that access was reviewed in the system record. CC ID 16416 | Technical security | Data and Information Management | |
| Include the date and time that access rights were changed in the system record. CC ID 16415 | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain an identification and authentication policy. CC ID 14033 [Secure the authorisation and authentication of users of the Cloud Service Provider (typically privileged users) to prevent unauthorised access. Section 5.7 Objective] | Technical security | Establish/Maintain Documentation | |
| Include the purpose in the identification and authentication policy. CC ID 14234 | Technical security | Establish/Maintain Documentation | |
| Include the scope in the identification and authentication policy. CC ID 14232 | Technical security | Establish/Maintain Documentation | |
| Include roles and responsibilities in the identification and authentication policy. CC ID 14230 | Technical security | Establish/Maintain Documentation | |
| Include management commitment in the identification and authentication policy. CC ID 14229 | Technical security | Establish/Maintain Documentation | |
| Include coordination amongst entities in the identification and authentication policy. CC ID 14227 | Technical security | Establish/Maintain Documentation | |
| Include compliance requirements in the identification and authentication policy. CC ID 14225 | Technical security | Establish/Maintain Documentation | |
| Establish the requirements for Authentication Assurance Levels. CC ID 16958 | Technical security | Establish/Maintain Documentation | |
| Disseminate and communicate the identification and authentication policy to interested personnel and affected parties. CC ID 14197 | Technical security | Communicate | |
| Establish, implement, and maintain identification and authentication procedures. CC ID 14053 [Between logging servers and the assets to be logged, authentication takes place to protect the integrity and authenticity of the information transmitted and stored. The transfer takes place using state-of-the-art encryption or a dedicated administration network (out-of-band management). OPS-14 ¶ 2 System components in the Cloud Service Provider's area of responsibility that are used to provide the cloud service, authenticate users of the Cloud Service Provider's internal and external employees as well as system components that are involved in the Cloud Service Provider's automated authorisation processes. Access to the production environment requires two-factor or multi-factor authentication. Within the production environment, user authentication takes place through passwords, digitally signed certificates or procedures that achieve at least an equivalent level of security. If digitally signed certificates are used, administration is carried out in accordance with the Guideline for Key Management (cf. CRY-01). The password requirements are derived from a risk assessment and documented, communicated and provided in a password policy according to SP-01. Compliance with the requirements is enforced by the configuration of the system components, as far as technically possible. IDM-09 ¶ 1 System components in the Cloud Service Provider's area of responsibility that are used to provide the cloud service, authenticate users of the Cloud Service Provider's internal and external employees as well as system components that are involved in the Cloud Service Provider's automated authorisation processes. Access to the production environment requires two-factor or multi-factor authentication. Within the production environment, user authentication takes place through passwords, digitally signed certificates or procedures that achieve at least an equivalent level of security. If digitally signed certificates are used, administration is carried out in accordance with the Guideline for Key Management (cf. CRY-01). The password requirements are derived from a risk assessment and documented, communicated and provided in a password policy according to SP-01. Compliance with the requirements is enforced by the configuration of the system components, as far as technically possible. IDM-09 ¶ 1 The type and scope of the information provided will be based on the needs of subject matter experts of the cloud customers who set information security requirements, implement them or verify the implementation (e.g. IT, Compliance, Internal Audit). The information in the guidelines and recommendations for the secure use of the cloud service address the following aspects, where applicable to the cloud service: Authentication mechanisms; PSS-01 ¶ 2 Bullet 4] | Technical security | Establish/Maintain Documentation | |
| Implement alternative authentication mechanisms when individuals cannot utilize primary authentication mechanisms. CC ID 17002 | Technical security | Technical Security | |
| Disseminate and communicate the identification and authentication procedures to interested personnel and affected parties. CC ID 14223 | Technical security | Communicate | |
| Include digital identification procedures in the access control program. CC ID 11841 | Technical security | Technical Security | |
| Disseminate and communicate user identifiers and authenticators using secure communication protocols. CC ID 06791 [The allocation of authentication information to access system components used to provide the cloud service to internal and external users of the cloud provider and system components that are involved in automated authorisation processes of the cloud provider is done in an orderly manner that ensures the confidentiality of the information. If passwords are used as authentication information, their confidentiality is ensured by the following procedures, as far as technically possible: IDM-08 ¶ 1] | Technical security | Data and Information Management | |
| Require proper authentication for user identifiers. CC ID 11785 | Technical security | Technical Security | |
| Assign authentication mechanisms for user account authentication. CC ID 06856 [The Cloud Service Provider provides authentication mechanisms that can force strong authentication (e.g. two or more factors) for users, IT components or applications within the cloud users' area of responsibility. PSS-05 ¶ 1] | Technical security | Configuration | |
| Require individuals to report lost or damaged authentication mechanisms. CC ID 17035 | Technical security | Communicate | |
| Establish and maintain a memorized secret list. CC ID 13791 | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain a secure enrollment process for biometric systems. CC ID 17007 | Technical security | Process or Activity | |
| Establish, implement, and maintain a fallback mechanism for when the biometric system fails. CC ID 17006 | Technical security | Technical Security | |
| Prevent the disclosure of the closeness of the biometric data during the biometric verification. CC ID 17003 | Technical security | Technical Security | |
| Notify a user when an authenticator for a user account is changed. CC ID 13820 [The allocation of authentication information to access system components used to provide the cloud service to internal and external users of the cloud provider and system components that are involved in automated authorisation processes of the cloud provider is done in an orderly manner that ensures the confidentiality of the information. If passwords are used as authentication information, their confidentiality is ensured by the following procedures, as far as technically possible: The user is informed about changing or resetting the password. IDM-08 ¶ 1 Bullet 3] | Technical security | Communicate | |
| Identify and control all network access controls. CC ID 00529 [{alternate} The cloud service can be accessed by other cloud services or IT systems of cloud customers through documented inbound and outbound interfaces. Further, the interfaces are clearly documented for subject matter experts on how they can be used to retrieve the data. PI-01 ¶ 1] | Technical security | Technical Security | |
| Establish, implement, and maintain a network configuration standard. CC ID 00530 | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain network segmentation requirements. CC ID 16380 [{trusted network} A distinction is made between trusted and untrusted networks. Based on a risk assessment, these are separated into different security zones for internal and external network areas (and DMZ, if applicable). Physical and virtualised network environments are designed and configured to restrict and monitor the established connection to trusted or untrusted networks according to the defined security requirements. COS-03 ¶ 1 Specific security requirements are designed, published and provided for establishing connections within the Cloud Service Provider's network. The security requirements define for the Cloud Service Provider's area of responsibility: in which cases the security zones are to be separated and in which cases cloud customers are to be logically or physically segregated; COS-02 ¶ 1 Bullet 1 Specific security requirements are designed, published and provided for establishing connections within the Cloud Service Provider's network. The security requirements define for the Cloud Service Provider's area of responsibility: how the data traffic for administration and monitoring is segregated from each on network level; COS-02 ¶ 1 Bullet 3] | Technical security | Establish/Maintain Documentation | |
| Enforce the network segmentation requirements. CC ID 16381 | Technical security | Process or Activity | |
| Protect system or device management and control planes from unwanted user plane traffic. CC ID 17063 | Technical security | Technical Security | |
| Ensure the data plane, control plane, and management plane have been segregated according to organizational standards. CC ID 16385 | Technical security | Technical Security | |
| Establish, implement, and maintain a network security policy. CC ID 06440 | Technical security | Establish/Maintain Documentation | |
| Include compliance requirements in the network security policy. CC ID 14205 | Technical security | Establish/Maintain Documentation | |
| Include coordination amongst entities in the network security policy. CC ID 14204 | Technical security | Establish/Maintain Documentation | |
| Include management commitment in the network security policy. CC ID 14203 | Technical security | Establish/Maintain Documentation | |
| Include roles and responsibilities in the network security policy. CC ID 14202 | Technical security | Establish/Maintain Documentation | |
| Include the scope in the network security policy. CC ID 14201 | Technical security | Establish/Maintain Documentation | |
| Include the purpose in the network security policy. CC ID 14200 | Technical security | Establish/Maintain Documentation | |
| Disseminate and communicate the network security policy to interested personnel and affected parties. CC ID 14199 | Technical security | Communicate | |
| Establish, implement, and maintain system and communications protection procedures. CC ID 14052 [Specific security requirements are designed, published and provided for establishing connections within the Cloud Service Provider's network. The security requirements define for the Cloud Service Provider's area of responsibility: COS-02 ¶ 1] | Technical security | Establish/Maintain Documentation | |
| Disseminate and communicate the system and communications protection procedures to interested personnel and affected parties. CC ID 14206 [Specific security requirements are designed, published and provided for establishing connections within the Cloud Service Provider's network. The security requirements define for the Cloud Service Provider's area of responsibility: COS-02 ¶ 1] | Technical security | Communicate | |
| Include usage restrictions for Bluetooth in the wireless networking policy. CC ID 16443 | Technical security | Establish/Maintain Documentation | |
| Maintain up-to-date network diagrams. CC ID 00531 [{be up-to-date} The documentation of the logical structure of the network used to provision or operate the Cloud Service, is traceable and up-to-date, in order to avoid administrative errors during live operation and to ensure timely recovery in the event of malfunctions in accordance with contractual obligations. The documentation shows how the subnets are allocated and how the network is zoned and segmented. In addition, the geographical locations in which the cloud customers' data is stored are indicated. COS-07 ¶ 1] | Technical security | Establish/Maintain Documentation | |
| Include the date of the most recent update on the network diagram. CC ID 14319 | Technical security | Establish/Maintain Documentation | |
| Include virtual systems in the network diagram. CC ID 16324 | Technical security | Data and Information Management | |
| Include the organization's name in the network diagram. CC ID 14318 | Technical security | Establish/Maintain Documentation | |
| Include Internet Protocol addresses in the network diagram. CC ID 16244 | Technical security | Establish/Maintain Documentation | |
| Include Domain Name System names in the network diagram. CC ID 16240 | Technical security | Establish/Maintain Documentation | |
| Accept, by formal signature, the security implications of the network topology. CC ID 12323 | Technical security | Establish/Maintain Documentation | |
| Disseminate and communicate network diagrams to interested personnel and affected parties. CC ID 13137 | Technical security | Communicate | |
| Include information flows to third parties in the data flow diagram. CC ID 13185 | Technical security | Establish/Maintain Documentation | |
| Document where data-at-rest and data in transit is encrypted on the data flow diagram. CC ID 16412 | Technical security | Establish/Maintain Documentation | |
| Disseminate and communicate the data flow diagrams to interested personnel and affected parties. CC ID 16407 | Technical security | Communicate | |
| Prevent the insertion of unauthorized network traffic into secure networks. CC ID 17050 | Technical security | Technical Security | |
| Prohibit systems from connecting directly to internal networks outside the demilitarized zone (DMZ). CC ID 16360 | Technical security | Technical Security | |
| Implement segregation of duties. CC ID 11843 [A role and rights concept based on the business and security requirements of the Cloud Service Provider as well as a policy for managing user accounts and access rights for internal and external employees of the Cloud Service Provider and system components that have a role in automated authorisation processes of the Cloud Service Provider are documented, communicated and made available according to SP-01: Segregation of duties between operational and monitoring functions ("Segregation of Duties"); IDM-01 ¶ 1 Bullet 3 The rights profiles are suitable for enabling cloud users to manage access authorisations and permissions in accordance with the principle of least-privilege and how it is necessary for the performance of tasks ("need-to-know principle") and to implement the principle of functional separation between operational and controlling functions ("separation of duties"). PSS-08 ¶ 2] | Technical security | Technical Security | |
| Establish, implement, and maintain a Boundary Defense program. CC ID 00544 [Each network perimeter is controlled by security gateways. The system access authorisation for cross-network access is based on a security assessment based on the requirements of the cloud customers. COS-04 ¶ 1 {be redundant} {be available} Each network perimeter is controlled by redundant and highly-available security gateways. COS-04 ¶ 2] | Technical security | Establish/Maintain Documentation | |
| Segregate systems in accordance with organizational standards. CC ID 12546 | Technical security | Technical Security | |
| Implement gateways between security domains. CC ID 16493 | Technical security | Systems Design, Build, and Implementation | |
| Implement resource-isolation mechanisms in organizational networks. CC ID 16438 | Technical security | Technical Security | |
| Prevent logical access to dedicated networks from outside the secure areas. CC ID 12310 | Technical security | Technical Security | |
| Restrict outbound network traffic out of the Demilitarized Zone. CC ID 16881 | Technical security | Technical Security | |
| Segregate applications and databases that contain restricted data or restricted information in an internal network zone. CC ID 01289 [Resources in the storage network are segmented by secure zoning (LUN binding and LUN masking). OPS-24 ¶ 2] | Technical security | Data and Information Management | |
| Establish, implement, and maintain a network access control standard. CC ID 00546 [Each network perimeter is controlled by security gateways. The system access authorisation for cross-network access is based on a security assessment based on the requirements of the cloud customers. COS-04 ¶ 1] | Technical security | Establish/Maintain Documentation | |
| Employ firewalls to secure network connections between networks of different security categorizations. CC ID 16373 | Technical security | Technical Security | |
| Secure the network access control standard against unauthorized changes. CC ID 11920 | Technical security | Establish/Maintain Documentation | |
| Employ centralized management systems to configure and control networks, as necessary. CC ID 12540 [{dedicated network} There are separate networks for the administrative management of the infrastructure and for the operation of management consoles. These networks are logically or physically separated from the cloud customer's network and protected from unauthorised access by multi-factor authentication (cf. IDM-09). Networks used by the Cloud Service Provider to migrate or create virtual machines are also physically or logically separated from other networks. COS-05 ¶ 1] | Technical security | Technical Security | |
| Establish, implement, and maintain a firewall and router configuration standard. CC ID 00541 | Technical security | Configuration | |
| Include compensating controls implemented for insecure protocols in the firewall and router configuration standard. CC ID 11948 [{insecure protocol} At specified intervals, the business justification for using all services, protocols, and ports is reviewed. The review also includes the justifications for compensatory measures for the use of protocols that are considered insecure. COS-03 ¶ 4] | Technical security | Establish/Maintain Documentation | |
| Include network diagrams that identify connections between all subnets and wireless networks in the firewall and router configuration standard. CC ID 12434 [{be up-to-date} The documentation of the logical structure of the network used to provision or operate the Cloud Service, is traceable and up-to-date, in order to avoid administrative errors during live operation and to ensure timely recovery in the event of malfunctions in accordance with contractual obligations. The documentation shows how the subnets are allocated and how the network is zoned and segmented. In addition, the geographical locations in which the cloud customers' data is stored are indicated. COS-07 ¶ 1] | Technical security | Establish/Maintain Documentation | |
| Include network diagrams that identify storage or processing locations of all restricted data in the firewall and router configuration standard. CC ID 12426 [{be up-to-date} The documentation of the logical structure of the network used to provision or operate the Cloud Service, is traceable and up-to-date, in order to avoid administrative errors during live operation and to ensure timely recovery in the event of malfunctions in accordance with contractual obligations. The documentation shows how the subnets are allocated and how the network is zoned and segmented. In addition, the geographical locations in which the cloud customers' data is stored are indicated. COS-07 ¶ 1] | Technical security | Establish/Maintain Documentation | |
| Include a protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 00537 | Technical security | Establish/Maintain Documentation | |
| Configure network ports to organizational standards. CC ID 14007 | Technical security | Configuration | |
| Include approval of the protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 12547 [Specific security requirements are designed, published and provided for establishing connections within the Cloud Service Provider's network. The security requirements define for the Cloud Service Provider's area of responsibility: which communication relationships and which network and application protocols are permitted in each case; COS-02 ¶ 1 Bullet 2] | Technical security | Establish/Maintain Documentation | |
| Disseminate and communicate the protocols, ports, applications, and services list to interested personnel and affected parties. CC ID 17089 | Technical security | Communicate | |
| Protect data stored at external locations. CC ID 16333 | Technical security | Data and Information Management | |
| Establish, implement, and maintain packet filtering requirements. CC ID 16362 | Technical security | Technical Security | |
| Filter packets based on IPv6 header fields. CC ID 17048 | Technical security | Technical Security | |
| Configure firewall filtering to only permit established connections into the network. CC ID 12482 [{trusted network} A distinction is made between trusted and untrusted networks. Based on a risk assessment, these are separated into different security zones for internal and external network areas (and DMZ, if applicable). Physical and virtualised network environments are designed and configured to restrict and monitor the established connection to trusted or untrusted networks according to the defined security requirements. COS-03 ¶ 1] | Technical security | Technical Security | |
| Filter traffic at firewalls based on application layer attributes. CC ID 17054 | Technical security | Technical Security | |
| Enforce information flow control. CC ID 11781 | Technical security | Monitor and Evaluate Occurrences | |
| Establish, implement, and maintain information flow control configuration standards. CC ID 01924 | Technical security | Establish/Maintain Documentation | |
| Configure network flow monitoring to organizational standards. CC ID 16364 [{trusted network} A distinction is made between trusted and untrusted networks. Based on a risk assessment, these are separated into different security zones for internal and external network areas (and DMZ, if applicable). Physical and virtualised network environments are designed and configured to restrict and monitor the established connection to trusted or untrusted networks according to the defined security requirements. COS-03 ¶ 1] | Technical security | Configuration | |
| Establish, implement, and maintain information flow control policies inside the system and between interconnected systems. CC ID 01410 [Policies and instructions with technical and organisational safeguards in order to protect the transmission of data against unauthorised interception, manipulation, copying, modification, redirection or destruction are documented, communicated and provided according to SP-01. The policies and instructions establish a reference to the classification of information (cf. AM-06). COS-08 ¶ 1] | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain a document printing policy. CC ID 14384 | Technical security | Establish/Maintain Documentation | |
| Include printing to personal printers during a continuity event in the document printing policy. CC ID 14396 | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain information exchange procedures. CC ID 11782 | Technical security | Establish/Maintain Documentation | |
| Include the connected Information Technology assets in the information exchange procedures. CC ID 17025 | Technical security | Establish/Maintain Documentation | |
| Include connection termination procedures in the information exchange procedures. CC ID 17027 | Technical security | Establish/Maintain Documentation | |
| Include the data sensitivity levels in the information exchange procedures. CC ID 17024 | Technical security | Establish/Maintain Documentation | |
| Include communication requirements in the information exchange procedures. CC ID 17026 [Specific security requirements are designed, published and provided for establishing connections within the Cloud Service Provider's network. The security requirements define for the Cloud Service Provider's area of responsibility: which cross-network communication is allowed. COS-02 ¶ 1 Bullet 5] | Technical security | Establish/Maintain Documentation | |
| Include roles and responsibilities in the information exchange procedures. CC ID 17023 | Technical security | Establish/Maintain Documentation | |
| Include contact information in the information exchange procedures. CC ID 17307 | Technical security | Establish/Maintain Documentation | |
| Include implementation procedures in the information exchange procedures. CC ID 17022 | Technical security | Establish/Maintain Documentation | |
| Include security controls in the information exchange procedures. CC ID 17021 | Technical security | Establish/Maintain Documentation | |
| Include testing procedures in the information exchange procedures. CC ID 17020 | Technical security | Establish/Maintain Documentation | |
| Include measurement criteria in the information exchange procedures. CC ID 17019 | Technical security | Establish/Maintain Documentation | |
| Include training requirements in the information exchange procedures. CC ID 17017 | Technical security | Establish/Maintain Documentation | |
| Test the information exchange procedures. CC ID 17115 | Technical security | Testing | |
| Perform content sanitization on data-in-transit. CC ID 16512 | Technical security | Data and Information Management | |
| Perform content conversion on data-in-transit. CC ID 16510 | Technical security | Data and Information Management | |
| Protect data from unauthorized access while transmitting between separate parts of the system. CC ID 16499 | Technical security | Data and Information Management | |
| Log issuers who send personal data in cleartext in the transfer audit log. CC ID 12312 | Technical security | Log Management | |
| Establish, implement, and maintain allowlists and denylists of web content. CC ID 15234 | Technical security | Data and Information Management | |
| Separate user functionality from system management functionality. CC ID 11858 [{dedicated network} There are separate networks for the administrative management of the infrastructure and for the operation of management consoles. These networks are logically or physically separated from the cloud customer's network and protected from unauthorised access by multi-factor authentication (cf. IDM-09). Networks used by the Cloud Service Provider to migrate or create virtual machines are also physically or logically separated from other networks. COS-05 ¶ 1] | Technical security | Technical Security | |
| Control remote administration in accordance with organizational standards. CC ID 04459 [{acceptable use policy} {remote management} Policies and instructions for acceptable use and safe handling of assets are documented, communicated and provided in accordance with SP-01 and address the following aspects of the asset lifecycle as applicable to the asset: Remote deactivation, deletion or blocking; AM-02 ¶ 1 Bullet 9] | Technical security | Configuration | |
| Implement multifactor authentication techniques. CC ID 00561 [The requirements for the access control system are documented, communicated and provided in a policy or concept in accordance with SP-01 and include the following aspects: Two-factor authentication for access to areas hosting system components that process cloud customer information; PS-04 ¶ 3 Bullet 4 Access to system components for logging and monitoring in the Cloud Service Provider's area of responsibility requires two-factor authentication. OPS-16 ¶ 2 System components in the Cloud Service Provider's area of responsibility that are used to provide the cloud service, authenticate users of the Cloud Service Provider's internal and external employees as well as system components that are involved in the Cloud Service Provider's automated authorisation processes. Access to the production environment requires two-factor or multi-factor authentication. Within the production environment, user authentication takes place through passwords, digitally signed certificates or procedures that achieve at least an equivalent level of security. If digitally signed certificates are used, administration is carried out in accordance with the Guideline for Key Management (cf. CRY-01). The password requirements are derived from a risk assessment and documented, communicated and provided in a password policy according to SP-01. Compliance with the requirements is enforced by the configuration of the system components, as far as technically possible. IDM-09 ¶ 1 Access to the non-production environment requires two-factor or multi-factor authentication. Within the non-production environment, users are authenticated using passwords, digitally signed certificates, or procedures that provide at least an equivalent level of security. IDM-09 ¶ 2 {dedicated network} There are separate networks for the administrative management of the infrastructure and for the operation of management consoles. These networks are logically or physically separated from the cloud customer's network and protected from unauthorised access by multi-factor authentication (cf. IDM-09). Networks used by the Cloud Service Provider to migrate or create virtual machines are also physically or logically separated from other networks. COS-05 ¶ 1 The Cloud Service Provider provides authentication mechanisms that can force strong authentication (e.g. two or more factors) for users, IT components or applications within the cloud users' area of responsibility. PSS-05 ¶ 1] | Technical security | Configuration | |
| Refrain from allowing individuals to self-enroll into multifactor authentication from untrusted devices. CC ID 17173 | Technical security | Technical Security | |
| Implement phishing-resistant multifactor authentication techniques. CC ID 16541 | Technical security | Technical Security | |
| Document and approve requests to bypass multifactor authentication. CC ID 15464 | Technical security | Establish/Maintain Documentation | |
| Manage the use of encryption controls and cryptographic controls. CC ID 00570 [{be appropriate} {be effective} Ensure appropriate and effective use of cryptography to protect the confidentiality, authenticity or integrity of information. Section 5.8 Objective {security-related information} The information is detailed enough to allow cloud users to check the following aspects, insofar as they are applicable to the cloud service: Changes to security-relevant configuration parameters, error handling and logging mechanisms, user authentication, action authorisation, cryptography, and communication security. PSS-04 ¶ 2 Bullet 3] | Technical security | Technical Security | |
| Comply with the encryption laws of the local country. CC ID 16377 | Technical security | Business Processes | |
| Employ cryptographic controls that comply with applicable requirements. CC ID 12491 [Policies and instructions with technical and organisational safeguards for encryption procedures and key management are documented, communicated and provided according to SP-01, in which the following aspects are described: Consideration of relevant legal and regulatory obligations and requirements. CRY-01 ¶ 1 Bullet 4] | Technical security | Technical Security | |
| Establish, implement, and maintain digital signatures. CC ID 13828 | Technical security | Data and Information Management | |
| Include the expiration date in digital signatures. CC ID 13833 | Technical security | Data and Information Management | |
| Include audience restrictions in digital signatures. CC ID 13834 | Technical security | Data and Information Management | |
| Include the subject in digital signatures. CC ID 13832 | Technical security | Data and Information Management | |
| Include the issuer in digital signatures. CC ID 13831 | Technical security | Data and Information Management | |
| Include identifiers in the digital signature. CC ID 13829 | Technical security | Data and Information Management | |
| Include monitoring procedures in the encryption management and cryptographic controls policy. CC ID 17207 | Technical security | Establish/Maintain Documentation | |
| Include mitigation measures in the encryption management and cryptographic controls policy. CC ID 17206 | Technical security | Establish/Maintain Documentation | |
| Digitally sign records and data, as necessary. CC ID 16507 | Technical security | Data and Information Management | |
| Decrypt restricted data for the minimum time required. CC ID 12308 | Technical security | Data and Information Management | |
| Decrypt personal data only on dedicated networks, not on public networks. CC ID 12309 | Technical security | Data and Information Management | |
| Disseminate and communicate the encryption management and cryptographic controls policy to all interested personnel and affected parties. CC ID 15476 | Technical security | Communicate | |
| Protect salt values and hash values in accordance with organizational standards. CC ID 16471 | Technical security | Data and Information Management | |
| Disseminate and communicate the encryption management procedures to all interested personnel and affected parties. CC ID 15477 [{technical safeguard} Policies and instructions with technical and organisational safeguards for encryption procedures and key management are documented, communicated and provided according to SP-01, in which the following aspects are described: CRY-01 ¶ 1] | Technical security | Communicate | |
| Establish, implement, and maintain encryption management procedures. CC ID 15475 | Technical security | Establish/Maintain Documentation | |
| Define and assign cryptographic, encryption and key management roles and responsibilities. CC ID 15470 | Technical security | Establish Roles | |
| Establish, implement, and maintain cryptographic key management procedures. CC ID 00571 [Procedures and technical safeguards for secure key management in the area of responsibility of the Cloud Service Provider include at least the following aspects: Changing or updating cryptographic keys including policies defining under which conditions and in which manner the changes and/or updates are to be realised; CRY-04 ¶ 1 Bullet 5] | Technical security | Establish/Maintain Documentation | |
| Disseminate and communicate cryptographic key management procedures to interested personnel and affected parties. CC ID 13164 [{technical safeguard} Policies and instructions with technical and organisational safeguards for encryption procedures and key management are documented, communicated and provided according to SP-01, in which the following aspects are described: CRY-01 ¶ 1] | Technical security | Communicate | |
| Include recommended cryptographic key management procedures for cloud service providers in the cryptographic key management procedures. CC ID 13152 [Procedures and technical safeguards for secure key management in the area of responsibility of the Cloud Service Provider include at least the following aspects: If pre-shared keys are used, the specific provisions relating to the safe use of this procedure are specified separately. CRY-04 ¶ 1 Bullet 8] | Technical security | Establish/Maintain Documentation | |
| Include requesting cryptographic key types in the cryptographic key management procedures. CC ID 13151 [Procedures and technical safeguards for secure key management in the area of responsibility of the Cloud Service Provider include at least the following aspects: Secure storage of keys (separation of key management system from application and middleware level) including description of how authorised users get access; CRY-04 ¶ 1 Bullet 4] | Technical security | Establish/Maintain Documentation | |
| Include cryptographic key expiration in the cryptographic key management procedures. CC ID 17079 | Technical security | Establish/Maintain Documentation | |
| Generate strong cryptographic keys. CC ID 01299 [Policies and instructions with technical and organisational safeguards for encryption procedures and key management are documented, communicated and provided according to SP-01, in which the following aspects are described: Requirements for the secure generation, storage, archiving, retrieval, distribution, withdrawal and deletion of the keys; and CRY-01 ¶ 1 Bullet 3] | Technical security | Data and Information Management | |
| Generate unique cryptographic keys for each user. CC ID 12169 [{be different} Procedures and technical safeguards for secure key management in the area of responsibility of the Cloud Service Provider include at least the following aspects: Generation of keys for different cryptographic systems and applications; CRY-04 ¶ 1 Bullet 1] | Technical security | Technical Security | |
| Include the establishment of cryptographic keys in the cryptographic key management procedures. CC ID 06540 [Procedures and technical safeguards for secure key management in the area of responsibility of the Cloud Service Provider include at least the following aspects: Provisioning and activation of the keys; CRY-04 ¶ 1 Bullet 3] | Technical security | Establish/Maintain Documentation | |
| Disseminate and communicate cryptographic keys securely. CC ID 01300 [Policies and instructions with technical and organisational safeguards for encryption procedures and key management are documented, communicated and provided according to SP-01, in which the following aspects are described: Requirements for the secure generation, storage, archiving, retrieval, distribution, withdrawal and deletion of the keys; and CRY-01 ¶ 1 Bullet 3 Procedures and technical safeguards for secure key management in the area of responsibility of the Cloud Service Provider include at least the following aspects: Provisioning and activation of the keys; CRY-04 ¶ 1 Bullet 3] | Technical security | Data and Information Management | |
| Store cryptographic keys securely. CC ID 01298 [Policies and instructions with technical and organisational safeguards for encryption procedures and key management are documented, communicated and provided according to SP-01, in which the following aspects are described: Requirements for the secure generation, storage, archiving, retrieval, distribution, withdrawal and deletion of the keys; and CRY-01 ¶ 1 Bullet 3 Procedures and technical safeguards for secure key management in the area of responsibility of the Cloud Service Provider include at least the following aspects: Secure storage of keys (separation of key management system from application and middleware level) including description of how authorised users get access; CRY-04 ¶ 1 Bullet 4] | Technical security | Data and Information Management | |
| Restrict access to cryptographic keys. CC ID 01297 [Policies and instructions with technical and organisational safeguards for encryption procedures and key management are documented, communicated and provided according to SP-01, in which the following aspects are described: Requirements for the secure generation, storage, archiving, retrieval, distribution, withdrawal and deletion of the keys; and CRY-01 ¶ 1 Bullet 3 The private keys used for encryption are known to the customer exclusively and without exception in accordance with applicable legal and regulatory obligations and requirements. CRY-03 ¶ 2 The Cloud Service Provider has established procedures and technical safeguards to encrypt cloud customers' data during storage. The private keys used for encryption are known only to the cloud customer in accordance with applicable legal and regulatory obligations and requirements. Exceptions follow a specified procedure. The procedures for the use of private keys, including any exceptions, must be contractually agreed with the cloud customer. CRY-03 ¶ 1] | Technical security | Data and Information Management | |
| Include offsite backups of cryptographic keys in the cryptographic key management procedures. CC ID 13127 | Technical security | Establish/Maintain Documentation | |
| Notify interested personnel and affected parties upon cryptographic key supersession. CC ID 17084 | Technical security | Communicate | |
| Destroy cryptographic keys promptly after the retention period. CC ID 01303 [Policies and instructions with technical and organisational safeguards for encryption procedures and key management are documented, communicated and provided according to SP-01, in which the following aspects are described: Requirements for the secure generation, storage, archiving, retrieval, distribution, withdrawal and deletion of the keys; and CRY-01 ¶ 1 Bullet 3] | Technical security | Data and Information Management | |
| Manage outdated cryptographic keys, compromised cryptographic keys, or revoked cryptographic keys. CC ID 06852 [Procedures and technical safeguards for secure key management in the area of responsibility of the Cloud Service Provider include at least the following aspects: Changing or updating cryptographic keys including policies defining under which conditions and in which manner the changes and/or updates are to be realised; CRY-04 ¶ 1 Bullet 5 Procedures and technical safeguards for secure key management in the area of responsibility of the Cloud Service Provider include at least the following aspects: Handling of compromised keys; CRY-04 ¶ 1 Bullet 6 Procedures and technical safeguards for secure key management in the area of responsibility of the Cloud Service Provider include at least the following aspects: Withdrawal and deletion of keys; and CRY-04 ¶ 1 Bullet 7] | Technical security | Technical Security | |
| Archive outdated cryptographic keys. CC ID 06884 [Policies and instructions with technical and organisational safeguards for encryption procedures and key management are documented, communicated and provided according to SP-01, in which the following aspects are described: Requirements for the secure generation, storage, archiving, retrieval, distribution, withdrawal and deletion of the keys; and CRY-01 ¶ 1 Bullet 3] | Technical security | Data and Information Management | |
| Establish, implement, and maintain requirements for Personal Identity Verification authentication certificates. CC ID 06587 [System components in the Cloud Service Provider's area of responsibility that are used to provide the cloud service, authenticate users of the Cloud Service Provider's internal and external employees as well as system components that are involved in the Cloud Service Provider's automated authorisation processes. Access to the production environment requires two-factor or multi-factor authentication. Within the production environment, user authentication takes place through passwords, digitally signed certificates or procedures that achieve at least an equivalent level of security. If digitally signed certificates are used, administration is carried out in accordance with the Guideline for Key Management (cf. CRY-01). The password requirements are derived from a risk assessment and documented, communicated and provided in a password policy according to SP-01. Compliance with the requirements is enforced by the configuration of the system components, as far as technically possible. IDM-09 ¶ 1] | Technical security | Establish/Maintain Documentation | |
| Establish a Registration Authority to support the Public Key Infrastructure. CC ID 15725 | Technical security | Establish Roles | |
| Establish a Root Certification Authority to support the Public Key Infrastructure. CC ID 07084 | Technical security | Technical Security | |
| Include signing and issuing Public Key certificates in the Public Key certificate procedures. CC ID 11817 [Procedures and technical safeguards for secure key management in the area of responsibility of the Cloud Service Provider include at least the following aspects: Issuing and obtaining public-key certificates; CRY-04 ¶ 1 Bullet 2] | Technical security | Establish/Maintain Documentation | |
| Include access to issued Public Key certificates in the Public Key certificate procedures. CC ID 07086 [Procedures and technical safeguards for secure key management in the area of responsibility of the Cloud Service Provider include at least the following aspects: Issuing and obtaining public-key certificates; CRY-04 ¶ 1 Bullet 2] | Technical security | Establish/Maintain Documentation | |
| Use strong data encryption to transmit in scope data or in scope information, as necessary. CC ID 00564 [Between logging servers and the assets to be logged, authentication takes place to protect the integrity and authenticity of the information transmitted and stored. The transfer takes place using state-of-the-art encryption or a dedicated administration network (out-of-band management). OPS-14 ¶ 2 The Cloud Service Provider has established procedures and technical measures for strong encryption and authentication for the transmission of all data. CRY-02 ¶ 2 The Cloud Service Provider has established procedures and technical measures for strong encryption and authentication for the transmission of data of cloud customers over public networks. CRY-02 ¶ 1] | Technical security | Technical Security | |
| Ensure restricted data or restricted information are encrypted prior to or at the time of transmission. CC ID 01749 [{physical security measure} {be the same} The Cloud Service Provider transfers data to be backed up to a remote location or transports these on backup media to a remote location. If the data backup is transmitted to the remote location via a network, the data backup or the transmission of the data takes place in an encrypted form that corresponds to the state-of-the-art. The distance to the main site is chosen after sufficient consideration of the factors recovery times and impact of disasters on both sites. The physical and environmental security measures at the remote site are at the same level as at the main site. OPS-09 ¶ 1 {physical security measure} {be the same} The Cloud Service Provider transfers data to be backed up to a remote location or transports these on backup media to a remote location. If the data backup is transmitted to the remote location via a network, the data backup or the transmission of the data takes place in an encrypted form that corresponds to the state-of-the-art. The distance to the main site is chosen after sufficient consideration of the factors recovery times and impact of disasters on both sites. The physical and environmental security measures at the remote site are at the same level as at the main site. OPS-09 ¶ 1] | Technical security | Configuration | |
| Configure the encryption strength to be appropriate for the encryption methodology of the cryptographic controls. CC ID 12492 [Policies and instructions with technical and organisational safeguards for encryption procedures and key management are documented, communicated and provided according to SP-01, in which the following aspects are described: Usage of strong encryption procedures and secure network protocols that correspond to the state-of-the-art; CRY-01 ¶ 1 Bullet 1 {be risk-based} Policies and instructions with technical and organisational safeguards for encryption procedures and key management are documented, communicated and provided according to SP-01, in which the following aspects are described: Risk-based provisions for the use of encryption which are aligned with the information classification schemes (cf. AM-06) and consider the communication channel, type, strength and quality of the encryption; CRY-01 ¶ 1 Bullet 2] | Technical security | Technical Security | |
| Treat data messages that do not receive an acknowledgment as never been sent. CC ID 14416 | Technical security | Technical Security | |
| Establish, implement, and maintain a malicious code protection program. CC ID 00574 [{acceptable use policy} Policies and instructions for acceptable use and safe handling of assets are documented, communicated and provided in accordance with SP-01 and address the following aspects of the asset lifecycle as applicable to the asset: Protection against malware; AM-02 ¶ 1 Bullet 8] | Technical security | Establish/Maintain Documentation | |
| Disseminate and communicate the malicious code protection policy to all interested personnel and affected parties. CC ID 15485 | Technical security | Communicate | |
| Disseminate and communicate the malicious code protection procedures to all interested personnel and affected parties. CC ID 15484 [Policies and instructions with specifications for protection against malware are documented, communicated, and provided in accordance with SP-01 with respect to the following aspects: Operating protection programs on system components under the responsibility of the Cloud Service Provider that are used to provide the cloud service in the production environment; and OPS-04 ¶ 1 Bullet 2 Policies and instructions with specifications for protection against malware are documented, communicated, and provided in accordance with SP-01 with respect to the following aspects: Use of system-specific protection mechanisms; OPS-04 ¶ 1 Bullet 1 Policies and instructions with specifications for protection against malware are documented, communicated, and provided in accordance with SP-01 with respect to the following aspects: Operation of protection programs for employees' terminal equipment. OPS-04 ¶ 1 Bullet 3] | Technical security | Communicate | |
| Establish, implement, and maintain malicious code protection procedures. CC ID 15483 [Ensure proper and regular operation, including appropriate measures for planning and monitoring capacity, protection against malware, logging and monitoring events, and dealing with vulnerabilities, malfunctions and failures. Section 5.6 Objective Policies and instructions with specifications for protection against malware are documented, communicated, and provided in accordance with SP-01 with respect to the following aspects: OPS-04 ¶ 1] | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain a malicious code protection policy. CC ID 15478 | Technical security | Establish/Maintain Documentation | |
| Install security and protection software, as necessary. CC ID 00575 [System components under the Cloud Service Provider's responsibility that are used to deploy the cloud service in the production environment are configured with malware protection according to the policies and instructions. If protection programs are set up with signature and behaviour-based malware detection and removal, these protection programs are updated at least daily. OPS-05 ¶ 1] | Technical security | Configuration | |
| Install and maintain container security solutions. CC ID 16178 | Technical security | Technical Security | |
| Protect systems and devices from fragmentation based attacks and anomalies. CC ID 17058 | Technical security | Technical Security | |
| Define and assign roles and responsibilities for malicious code protection. CC ID 15474 | Technical security | Establish Roles | |
| Establish, implement, and maintain a virtual environment and shared resources security program. CC ID 06551 | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain procedures for provisioning shared resources. CC ID 12181 [The contract between the Cloud Service Provider and the cloud customer regulates which data is made available to the cloud customer for his own analysis in the event of security incidents. SIM-03 ¶ 4 The Cloud Service Provider grants its cloud customers contractually guaranteed information and audit rights. COM-02 ¶ 2] | Technical security | Establish/Maintain Documentation | |
| Employ an open virtualization format for provisioning software for virtual machines, as necessary. CC ID 12356 | Technical security | Configuration | |
| Employ resource-isolation mechanisms in virtual environments. CC ID 12178 [{shared resource} Cloud customer data stored and processed on shared virtual and physical resources is securely and strictly separated according to a documented approach based on OIS-07 risk analysis to ensure the confidentiality and integrity of this data. OPS-24 ¶ 1] | Technical security | Configuration | |
| Sanitize customer data from all shared resources upon agreement termination. CC ID 12175 [{alternate} Enable the ability to access the cloud service via other cloud services or IT systems of the cloud customers, to obtain the stored data at the end of the contractual relationship and to securely delete it from the Cloud Service Provider. Section 5.10 Objective] | Technical security | Records Management | |
| Return all unstructured data from all shared resources upon agreement termination. CC ID 12336 [{alternate} Enable the ability to access the cloud service via other cloud services or IT systems of the cloud customers, to obtain the stored data at the end of the contractual relationship and to securely delete it from the Cloud Service Provider. Section 5.10 Objective] | Technical security | Business Processes | |
| Establish, implement, and maintain a physical and environmental protection policy. CC ID 14030 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain physical and environmental protection procedures. CC ID 14061 | Physical and environmental protection | Establish/Maintain Documentation | |
| Disseminate and communicate the physical and environmental protection procedures to interested personnel and affected parties. CC ID 14175 [Security requirements for premises and buildings related to the cloud service provided, are based on the security objectives of the information security policy, identified protection requirements for the cloud service and the assessment of risks to physical and environmental security. The security requirements are documented, communicated and provided in a policy or concept according to SP-01. PS-01 ¶ 1] | Physical and environmental protection | Communicate | |
| Establish, implement, and maintain a physical security program. CC ID 11757 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain a facility physical security program. CC ID 00711 [The cloud service is provided from two locations that are redundant to each other. The locations meet the security requirements of the Cloud Service Provider (cf. PS-01 Security Concept) and are located in an adequate distance to each other to achieve operational redundancy. Operational redundancy is designed in a way that ensures that the availability requirements specified in the service level agreement are met. The functionality of the redundancy is checked at least annually by suitable tests and exercises (cf. BCM-04 – Verification, updating and testing of business continuity). PS-02 ¶ 1 The structural shell of premises and buildings related to the cloud service provided are physically solid and protected by adequate security measures that meet the security requirements of the Cloud Service Provider (cf. PS-01 Security Concept). PS-03 ¶ 1 Security requirements for premises and buildings related to the cloud service provided, are based on the security objectives of the information security policy, identified protection requirements for the cloud service and the assessment of risks to physical and environmental security. The security requirements are documented, communicated and provided in a policy or concept according to SP-01. PS-01 ¶ 1] | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain opening procedures for businesses. CC ID 16671 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain closing procedures for businesses. CC ID 16670 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish and maintain a contract for accessing facilities that transmit, process, or store restricted data. CC ID 12050 | Physical and environmental protection | Establish/Maintain Documentation | |
| Refrain from providing access to facilities that transmit, process, or store restricted data until the contract for accessing the facility is signed. CC ID 12311 | Physical and environmental protection | Behavior | |
| Include identification cards or badges in the physical security program. CC ID 14818 | Physical and environmental protection | Establish/Maintain Documentation | |
| Protect facilities from eavesdropping. CC ID 02222 [{power supply facility} Measures to prevent the failure of the technical supply facilities required for the operation of system components with which information from cloud customers is processed, are documented and set up in accordance with the security requirements of the Cloud Service Provider (cf. PS-01 Security Concept) with respect to the following aspects: Protection of power supply and telecommunications lines against interruption, interference, damage and eavesdropping. The protection is checked regularly, but at least every two years, as well as in case of suspected manipulation by qualified personnel regarding the following aspects: PS-06 ¶ 1(d)] | Physical and environmental protection | Physical and Environmental Protection | |
| Implement audio protection controls on telephone systems in controlled areas. CC ID 16455 | Physical and environmental protection | Technical Security | |
| Establish, implement, and maintain security procedures for virtual meetings. CC ID 15581 | Physical and environmental protection | Establish/Maintain Documentation | |
| Hold conferences requiring sensitive information discussions in spaces that have commensurate security. CC ID 11440 | Physical and environmental protection | Physical and Environmental Protection | |
| Provide one-time meeting support for discussions involving Top Secret information. CC ID 11441 | Physical and environmental protection | Physical and Environmental Protection | |
| Create security zones in facilities, as necessary. CC ID 16295 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain floor plans. CC ID 16419 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include network infrastructure and cabling infrastructure on the floor plan. CC ID 16420 | Physical and environmental protection | Establish/Maintain Documentation | |
| Post floor plans of critical facilities in secure locations. CC ID 16138 | Physical and environmental protection | Communicate | |
| Maintain all security alarm systems. CC ID 11669 [{video surveillance camera} {burglar alarm} The security measures installed at the site include permanently present security personnel (at least 2 individuals), video surveillance and anti-burglary systems. PS-03 ¶ 5] | Physical and environmental protection | Physical and Environmental Protection | |
| Identify and document physical access controls for all physical entry points. CC ID 01637 [At access points to premises and buildings related to the cloud service provided, physical access controls are set up in accordance with the Cloud Service Provider's security requirements (cf. PS-01 Security Concept) to prevent unauthorised access. PS-04 ¶ 1] | Physical and environmental protection | Establish/Maintain Documentation | |
| Control physical access to (and within) the facility. CC ID 01329 [Prevent unauthorised physical access and protect against theft, damage, loss and outage of operations. Section 5.5 Objective The operating parameters of the technical utilities (cf. PS-06) and the environmental parameters of the premises and buildings related to the cloud service provided are monitored and controlled in accordance with the security requirements of the Cloud Service Provider (cf. PS-01 Security Concept). When the permitted control range is exceeded, the responsible departments of the Cloud-Provider are automatically informed in order to promptly initiate the necessary measures for return to the control range. PS-07 ¶ 1] | Physical and environmental protection | Physical and Environmental Protection | |
| Configure the access control system to grant access only during authorized working hours. CC ID 12325 | Physical and environmental protection | Physical and Environmental Protection | |
| Log the individual's address in the facility access list. CC ID 16921 | Physical and environmental protection | Log Management | |
| Log the contact information for the person authorizing access in the facility access list. CC ID 16920 | Physical and environmental protection | Log Management | |
| Log the organization's name in the facility access list. CC ID 16919 | Physical and environmental protection | Log Management | |
| Log the individual's name in the facility access list. CC ID 16918 | Physical and environmental protection | Log Management | |
| Log the purpose in the facility access list. CC ID 16982 | Physical and environmental protection | Log Management | |
| Log the level of access in the facility access list. CC ID 16975 | Physical and environmental protection | Log Management | |
| Escort uncleared personnel who need to work in or access controlled access areas. CC ID 00747 [The requirements for the access control system are documented, communicated and provided in a policy or concept in accordance with SP-01 and include the following aspects: Visitors and external personnel are tracked individually by the access control during their work in the premises and buildings, identified as such (e.g. by visible wearing of a visitor pass) and supervised during their stay; and PS-04 ¶ 3 Bullet 5] | Physical and environmental protection | Monitor and Evaluate Occurrences | |
| Disallow opting out of wearing or displaying identification cards or badges. CC ID 13030 | Physical and environmental protection | Human Resources Management | |
| Implement physical identification processes. CC ID 13715 | Physical and environmental protection | Process or Activity | |
| Refrain from using knowledge-based authentication for in-person identity verification. CC ID 13717 | Physical and environmental protection | Process or Activity | |
| Issue photo identification badges to all employees. CC ID 12326 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain lost or damaged identification card procedures, as necessary. CC ID 14819 | Physical and environmental protection | Establish/Maintain Documentation | |
| Report lost badges, stolen badges, and broken badges to the Security Manager. CC ID 12334 | Physical and environmental protection | Physical and Environmental Protection | |
| Direct each employee to be responsible for their identification card or badge. CC ID 12332 | Physical and environmental protection | Human Resources Management | |
| Include name, date of entry, and validity period on disposable identification cards or badges. CC ID 12331 | Physical and environmental protection | Physical and Environmental Protection | |
| Include error handling controls in identification issuance procedures. CC ID 13709 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include an appeal process in the identification issuance procedures. CC ID 15428 | Physical and environmental protection | Business Processes | |
| Include information security in the identification issuance procedures. CC ID 15425 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain post-issuance update procedures for identification cards or badges. CC ID 15426 | Physical and environmental protection | Establish/Maintain Documentation | |
| Enforce dual control for badge assignments. CC ID 12328 | Physical and environmental protection | Physical and Environmental Protection | |
| Enforce dual control for accessing unassigned identification cards or badges. CC ID 12327 | Physical and environmental protection | Physical and Environmental Protection | |
| Refrain from imprinting the company name or company logo on identification cards or badges. CC ID 12282 | Physical and environmental protection | Physical and Environmental Protection | |
| Assign employees the responsibility for controlling their identification badges. CC ID 12333 | Physical and environmental protection | Human Resources Management | |
| Charge a fee for replacement of identification cards or badges, as necessary. CC ID 17001 | Physical and environmental protection | Business Processes | |
| Establish, implement, and maintain a door security standard. CC ID 06686 [The outer doors, windows and other construction elements exhibit an appropriate security level and withstand a burglary attempt for at least 10 minutes. PS-03 ¶ 3] | Physical and environmental protection | Establish/Maintain Documentation | |
| Install doors so that exposed hinges are on the secured side. CC ID 06687 | Physical and environmental protection | Configuration | |
| Install emergency doors to permit egress only. CC ID 06688 | Physical and environmental protection | Configuration | |
| Install contact alarms on doors, as necessary. CC ID 06710 | Physical and environmental protection | Configuration | |
| Restrict physical access mechanisms to authorized parties. CC ID 16924 | Physical and environmental protection | Process or Activity | |
| Establish, implement, and maintain a window security standard. CC ID 06689 [The outer doors, windows and other construction elements exhibit an appropriate security level and withstand a burglary attempt for at least 10 minutes. PS-03 ¶ 3] | Physical and environmental protection | Establish/Maintain Documentation | |
| Install contact alarms on openable windows, as necessary. CC ID 06690 | Physical and environmental protection | Configuration | |
| Install glass break alarms on windows, as necessary. CC ID 06691 | Physical and environmental protection | Configuration | |
| Use vandal resistant light fixtures for all security lighting. CC ID 16130 | Physical and environmental protection | Physical and Environmental Protection | |
| Implement physical security standards for mainframe rooms or data centers. CC ID 00749 [The security requirements for data centres are based on criteria which comply with established rules of technology. They are suitable for addressing the following risks in accordance with the applicable legal and contractual requirements: Unauthorised access; PS-01 ¶ 2 Bullet 2] | Physical and environmental protection | Physical and Environmental Protection | |
| Establish and maintain equipment security cages in a shared space environment. CC ID 06711 | Physical and environmental protection | Physical and Environmental Protection | |
| Secure systems in lockable equipment cabinets, as necessary. CC ID 06716 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, Implement, and maintain a camera operating policy. CC ID 15456 | Physical and environmental protection | Establish/Maintain Documentation | |
| Disseminate and communicate the camera installation policy to interested personnel and affected parties. CC ID 15461 | Physical and environmental protection | Communicate | |
| Establish and maintain a visitor log. CC ID 00715 [The requirements for the access control system are documented, communicated and provided in a policy or concept in accordance with SP-01 and include the following aspects: Visitors and external personnel are tracked individually by the access control during their work in the premises and buildings, identified as such (e.g. by visible wearing of a visitor pass) and supervised during their stay; and PS-04 ¶ 3 Bullet 5] | Physical and environmental protection | Log Management | |
| Record the purpose of the visit in the visitor log. CC ID 16917 | Physical and environmental protection | Log Management | |
| Record the date and time of entry in the visitor log. CC ID 13255 | Physical and environmental protection | Establish/Maintain Documentation | |
| Record the date and time of departure in the visitor log. CC ID 16897 | Physical and environmental protection | Log Management | |
| Record the type of identification used in the visitor log. CC ID 16916 | Physical and environmental protection | Log Management | |
| Establish, implement, and maintain a physical access log. CC ID 12080 [The requirements for the access control system are documented, communicated and provided in a policy or concept in accordance with SP-01 and include the following aspects: Existence and nature of access logging that enables the Cloud Service Provider, in the sense of an effectiveness audit, to check whether only defined personnel have entered the premises and buildings related to the cloud service provided. PS-04 ¶ 3 Bullet 6] | Physical and environmental protection | Establish/Maintain Documentation | |
| Log the exit of a staff member to a facility or designated rooms within the facility. CC ID 11675 | Physical and environmental protection | Monitor and Evaluate Occurrences | |
| Include the requestor's name in the physical access log. CC ID 16922 | Physical and environmental protection | Log Management | |
| Physically segregate business areas in accordance with organizational standards. CC ID 16718 | Physical and environmental protection | Physical and Environmental Protection | |
| Employ security guards to provide physical security, as necessary. CC ID 06653 [{video surveillance camera} {burglar alarm} The security measures installed at the site include permanently present security personnel (at least 2 individuals), video surveillance and anti-burglary systems. PS-03 ¶ 5] | Physical and environmental protection | Establish Roles | |
| Establish, implement, and maintain a facility wall standard. CC ID 06692 [{security requirement} The surrounding wall constructions as well as the locking mechanisms meet the associated requirements. PS-03 ¶ 4] | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain physical security controls for distributed assets. CC ID 00718 [Prevent unauthorised physical access and protect against theft, damage, loss and outage of operations. Section 5.5 Objective] | Physical and environmental protection | Physical and Environmental Protection | |
| Control the transiting and internal distribution or external distribution of assets. CC ID 00963 [{acceptable use policy} Policies and instructions for acceptable use and safe handling of assets are documented, communicated and provided in accordance with SP-01 and address the following aspects of the asset lifecycle as applicable to the asset: Physical delivery and transport; AM-02 ¶ 1 Bullet 10] | Physical and environmental protection | Records Management | |
| Log the transiting, internal distribution, and external distribution of restricted storage media. CC ID 12321 | Physical and environmental protection | Log Management | |
| Encrypt digital media containing sensitive information during transport outside controlled areas. CC ID 14258 | Physical and environmental protection | Technical Security | |
| Use locked containers to transport non-digital media outside of controlled areas. CC ID 14286 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain a media protection policy. CC ID 14029 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include compliance requirements in the media protection policy. CC ID 14185 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include coordination amongst entities in the media protection policy. CC ID 14184 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include management commitment in the media protection policy. CC ID 14182 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include roles and responsibilities in the media protection policy. CC ID 14180 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include the scope in the media protection policy. CC ID 14167 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include the purpose in the media protection policy. CC ID 14166 | Physical and environmental protection | Establish/Maintain Documentation | |
| Disseminate and communicate the media protection policy to interested personnel and affected parties. CC ID 14165 | Physical and environmental protection | Communicate | |
| Establish, implement, and maintain media protection procedures. CC ID 14062 | Physical and environmental protection | Establish/Maintain Documentation | |
| Disseminate and communicate the media protection procedures to interested personnel and affected parties. CC ID 14186 | Physical and environmental protection | Communicate | |
| Treat archive media as evidence. CC ID 00960 | Physical and environmental protection | Records Management | |
| Protect distributed assets against theft. CC ID 06799 [Prevent unauthorised physical access and protect against theft, damage, loss and outage of operations. Section 5.5 Objective] | Physical and environmental protection | Physical and Environmental Protection | |
| Include Information Technology assets in the asset removal policy. CC ID 13162 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain asset removal procedures or asset decommissioning procedures. CC ID 04540 | Physical and environmental protection | Establish/Maintain Documentation | |
| Obtain management approval prior to decommissioning assets. CC ID 17269 [{acceptable use policy} Policies and instructions for acceptable use and safe handling of assets are documented, communicated and provided in accordance with SP-01 and address the following aspects of the asset lifecycle as applicable to the asset: Approval procedures for acquisition, commissioning, maintenance, decommissioning, and disposal by authorised personnel or system components; AM-02 ¶ 1 Bullet 1] | Physical and environmental protection | Business Processes | |
| Maintain records of all system components entering and exiting the facility. CC ID 14304 | Physical and environmental protection | Log Management | |
| Encrypt information stored on devices in publicly accessible areas. CC ID 16410 | Physical and environmental protection | Data and Information Management | |
| Disseminate and communicate the end user computing device security guidelines to interested personnel and affected parties. CC ID 16925 | Physical and environmental protection | Communicate | |
| Establish, implement, and maintain a mobile device management program. CC ID 15212 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain a mobile device management policy. CC ID 15214 | Physical and environmental protection | Establish/Maintain Documentation | |
| Disseminate and communicate the mobile device management policy to interested personnel and affected parties. CC ID 16998 | Physical and environmental protection | Communicate | |
| Establish, implement, and maintain mobile device activation procedures. CC ID 16999 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain mobile device emergency sanitization procedures. CC ID 16454 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include a "Return to Sender" text file on mobile devices. CC ID 17075 | Physical and environmental protection | Process or Activity | |
| Include usage restrictions for untrusted networks in the mobile device security guidelines. CC ID 17076 | Physical and environmental protection | Establish/Maintain Documentation | |
| Require users to refrain from leaving mobile devices unattended. CC ID 16446 | Physical and environmental protection | Business Processes | |
| Include the use of privacy filters in the mobile device security guidelines. CC ID 16452 | Physical and environmental protection | Physical and Environmental Protection | |
| Wipe information from mobile devices after a predetermined number of unsuccessful logon attempts. CC ID 14242 | Physical and environmental protection | Data and Information Management | |
| Separate systems that transmit, process, or store restricted data from those that do not by deploying physical access controls. CC ID 00722 [{physical separation} In the case of IaaS/PaaS, the secure segregation is ensured by physically separated networks or by means of strongly encrypted VLANs. For the definition of strong encryption, the BSI Technical Guideline TR-02102 must be considered. COS-06 ¶ 2] | Physical and environmental protection | Physical and Environmental Protection | |
| Require the return of all assets upon notification an individual is terminated. CC ID 06679 [Any assets handed over are provably returned upon termination of employment. AM-05 ¶ 2] | Physical and environmental protection | Behavior | |
| Protect customer property under the care of the organization. CC ID 11685 | Physical and environmental protection | Physical and Environmental Protection | |
| Provide storage media shelving capable of bearing all potential loads. CC ID 11400 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain an environmental control program. CC ID 00724 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain environmental control procedures. CC ID 12246 [The operating parameters of the technical utilities (cf. PS-06) and the environmental parameters of the premises and buildings related to the cloud service provided are monitored and controlled in accordance with the security requirements of the Cloud Service Provider (cf. PS-01 Security Concept). When the permitted control range is exceeded, the responsible departments of the Cloud-Provider are automatically informed in order to promptly initiate the necessary measures for return to the control range. PS-07 ¶ 1] | Physical and environmental protection | Establish/Maintain Documentation | |
| Protect power equipment and power cabling from damage or destruction. CC ID 01438 [{power supply facility} Measures to prevent the failure of the technical supply facilities required for the operation of system components with which information from cloud customers is processed, are documented and set up in accordance with the security requirements of the Cloud Service Provider (cf. PS-01 Security Concept) with respect to the following aspects: Protection of power supply and telecommunications lines against interruption, interference, damage and eavesdropping. The protection is checked regularly, but at least every two years, as well as in case of suspected manipulation by qualified personnel regarding the following aspects: PS-06 ¶ 1(d) {power supply facility} Measures to prevent the failure of the technical supply facilities required for the operation of system components with which information from cloud customers is processed, are documented and set up in accordance with the security requirements of the Cloud Service Provider (cf. PS-01 Security Concept) with respect to the following aspects: Protection of power supply and telecommunications lines against interruption, interference, damage and eavesdropping. The protection is checked regularly, but at least every two years, as well as in case of suspected manipulation by qualified personnel regarding the following aspects: PS-06 ¶ 1(d)] | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain facility maintenance procedures. CC ID 00710 | Physical and environmental protection | Establish/Maintain Documentation | |
| Design the Information Technology facility with consideration given to natural disasters and man-made disasters. CC ID 00712 | Physical and environmental protection | Physical and Environmental Protection | |
| Build critical facilities according to applicable building codes. CC ID 06366 [The structural shell of premises and buildings related to the cloud service provided are physically solid and protected by adequate security measures that meet the security requirements of the Cloud Service Provider (cf. PS-01 Security Concept). PS-03 ¶ 1 The outer doors, windows and other construction elements exhibit an appropriate security level and withstand a burglary attempt for at least 10 minutes. PS-03 ¶ 3] | Physical and environmental protection | Physical and Environmental Protection | |
| Build critical facilities with fire resistant materials. CC ID 06365 | Physical and environmental protection | Physical and Environmental Protection | |
| Build critical facilities with materials that limit electromagnetic interference. CC ID 16131 | Physical and environmental protection | Physical and Environmental Protection | |
| Build critical facilities with water-resistant materials. CC ID 11679 | Physical and environmental protection | Physical and Environmental Protection | |
| Define selection criteria for facility locations. CC ID 06351 [The cloud service is provided from two locations that are redundant to each other. The locations meet the security requirements of the Cloud Service Provider (cf. PS-01 Security Concept) and are located in an adequate distance to each other to achieve operational redundancy. Operational redundancy is designed in a way that ensures that the availability requirements specified in the service level agreement are met. The functionality of the redundancy is checked at least annually by suitable tests and exercises (cf. BCM-04 – Verification, updating and testing of business continuity). PS-02 ¶ 1 {physical security measure} {be the same} The Cloud Service Provider transfers data to be backed up to a remote location or transports these on backup media to a remote location. If the data backup is transmitted to the remote location via a network, the data backup or the transmission of the data takes place in an encrypted form that corresponds to the state-of-the-art. The distance to the main site is chosen after sufficient consideration of the factors recovery times and impact of disasters on both sites. The physical and environmental security measures at the remote site are at the same level as at the main site. OPS-09 ¶ 1] | Physical and environmental protection | Establish/Maintain Documentation | |
| Install and maintain smoke control systems. CC ID 17291 [Premises and buildings related to the cloud service provided are protected from fire and smoke by structural, technical and organisational measures that meet the security requirements of the Cloud Service Provider (cf. PS-01 Security Concept) and include the following aspects: PS-05 ¶ 1] | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain a fire prevention and fire suppression standard. CC ID 06695 | Physical and environmental protection | Establish/Maintain Documentation | |
| Install and maintain fire protection equipment. CC ID 00728 [Premises and buildings related to the cloud service provided are protected from fire and smoke by structural, technical and organisational measures that meet the security requirements of the Cloud Service Provider (cf. PS-01 Security Concept) and include the following aspects: Early fire detection with automatic voltage release. The monitored areas are sufficiently fragmented to ensure that the prevention of the spread of incipient fires is proportionate to the maintenance of the availability of the cloud service provided; PS-05 ¶ 1(b) Bullet 1 {fire extinguishing system} Premises and buildings related to the cloud service provided are protected from fire and smoke by structural, technical and organisational measures that meet the security requirements of the Cloud Service Provider (cf. PS-01 Security Concept) and include the following aspects: Extinguishing system or oxygen reduction; and PS-05 ¶ 1(b) Bullet 2 The security requirements for data centres are based on criteria which comply with established rules of technology. They are suitable for addressing the following risks in accordance with the applicable legal and contractual requirements: Fire and smoke; PS-01 ¶ 2 Bullet 5] | Physical and environmental protection | Configuration | |
| Install and maintain fire suppression systems. CC ID 00729 [The security requirements for data centres are based on criteria which comply with established rules of technology. They are suitable for addressing the following risks in accordance with the applicable legal and contractual requirements: Fire and smoke; PS-01 ¶ 2 Bullet 5 Premises and buildings related to the cloud service provided are protected from fire and smoke by structural, technical and organisational measures that meet the security requirements of the Cloud Service Provider (cf. PS-01 Security Concept) and include the following aspects: PS-05 ¶ 1] | Physical and environmental protection | Configuration | |
| Install and maintain fire alarm systems. CC ID 17267 [Premises and buildings related to the cloud service provided are protected from fire and smoke by structural, technical and organisational measures that meet the security requirements of the Cloud Service Provider (cf. PS-01 Security Concept) and include the following aspects: Fire alarm system with reporting to the local fire department. PS-05 ¶ 1(b) Bullet 3] | Physical and environmental protection | Physical and Environmental Protection | |
| Conduct periodic fire marshal inspections for all organizational facilities. CC ID 04888 [Premises and buildings related to the cloud service provided are protected from fire and smoke by structural, technical and organisational measures that meet the security requirements of the Cloud Service Provider (cf. PS-01 Security Concept) and include the following aspects: Regular fire protection inspections to check compliance with fire protection requirements; and PS-05 ¶ 1(c) Bullet 1] | Physical and environmental protection | Physical and Environmental Protection | |
| Install and maintain fire-retarding divisions such as fire doors in accordance with applicable building codes. CC ID 06362 [Premises and buildings related to the cloud service provided are protected from fire and smoke by structural, technical and organisational measures that meet the security requirements of the Cloud Service Provider (cf. PS-01 Security Concept) and include the following aspects: Establishment of fire sections with a fire resistance duration of at least 90 minutes for all structural parts. PS-05 ¶ 1(a) ¶ 1] | Physical and environmental protection | Physical and Environmental Protection | |
| Conduct fire drills, as necessary. CC ID 13985 [Premises and buildings related to the cloud service provided are protected from fire and smoke by structural, technical and organisational measures that meet the security requirements of the Cloud Service Provider (cf. PS-01 Security Concept) and include the following aspects: Regular fire protection exercises. PS-05 ¶ 1(c) Bullet 2] | Physical and environmental protection | Process or Activity | |
| Employ environmental protections. CC ID 12570 | Physical and environmental protection | Process or Activity | |
| Establish, implement, and maintain a Heating Ventilation and Air Conditioning system. CC ID 00727 [{be insufficient} The security requirements for data centres are based on criteria which comply with established rules of technology. They are suitable for addressing the following risks in accordance with the applicable legal and contractual requirements: Insufficient air-conditioning; PS-01 ¶ 2 Bullet 4 {operating parameter} {be the highest} The cooling supply is designed in such a way that the permissible operating and environmental parameters are also ensured on at least five consecutive days with the highest outside temperatures measured to date within a radius of at least 50 km around the locations of the premises and buildings, with a safety margin of 3 K (in relation to the outside temperature). The Cloud Service Provider has previously determined the highest outdoor temperatures measured to date (cf. PS-01 Security Concept). PS-06 ¶ 3] | Physical and environmental protection | Configuration | |
| Alert appropriate personnel when an environmental control alert threshold is exceeded. CC ID 17268 [The environmental parameters are monitored. When the permitted control range is exceeded, alarm messages are generated and forwarded to the Cloud Service Provider's subject matter experts. PS-05 ¶ 2 The operating parameters of the technical utilities (cf. PS-06) and the environmental parameters of the premises and buildings related to the cloud service provided are monitored and controlled in accordance with the security requirements of the Cloud Service Provider (cf. PS-01 Security Concept). When the permitted control range is exceeded, the responsible departments of the Cloud-Provider are automatically informed in order to promptly initiate the necessary measures for return to the control range. PS-07 ¶ 1] | Physical and environmental protection | Communicate | |
| Install and maintain dust collection and filtering as a part of the Heating Ventilation and Air Conditioning system. CC ID 06368 [The security requirements for data centres are based on criteria which comply with established rules of technology. They are suitable for addressing the following risks in accordance with the applicable legal and contractual requirements: Air ventilation and filtration. PS-01 ¶ 2 Bullet 8] | Physical and environmental protection | Configuration | |
| Install and maintain backup Heating Ventilation and Air Conditioning equipment. CC ID 06369 [{power supply} Measures to prevent the failure of the technical supply facilities required for the operation of system components with which information from cloud customers is processed, are documented and set up in accordance with the security requirements of the Cloud Service Provider (cf. PS-01 Security Concept) with respect to the following aspects: Operational redundancy (N+1) in power and cooling supply PS-06 ¶ 1(a)] | Physical and environmental protection | Configuration | |
| Protect physical assets from water damage. CC ID 00730 [The security requirements for data centres are based on criteria which comply with established rules of technology. They are suitable for addressing the following risks in accordance with the applicable legal and contractual requirements: Water; PS-01 ¶ 2 Bullet 6] | Physical and environmental protection | Configuration | |
| Notify interested personnel and affected parties when water is detected in the vicinity of information systems. CC ID 14252 | Physical and environmental protection | Communicate | |
| Establish, implement, and maintain a business continuity program. CC ID 13210 [Based on the business impact analysis, a single framework for operational continuity and business plan planning will be implemented, documented and enforced to ensure that all plans are consistent. Planning is based on established standards, which are documented in a "Statement of Applicability". BCM-03 ¶ 1] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish, implement, and maintain a business continuity policy. CC ID 12405 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include escalation procedures in the business continuity policy. CC ID 17203 | Operational and Systems Continuity | Systems Continuity | |
| Include compliance requirements in the business continuity policy. CC ID 14237 [The top management (or a member of the top management) of the Cloud Service Provider is named as the process owner of business continuity and emergency management and is responsible for establishing the process within the company as well as ensuring compliance with the guidelines. They must ensure that sufficient resources are made available for an effective process. BCM-01 ¶ 1] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include coordination amongst entities in the business continuity policy. CC ID 14235 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include management commitment in the business continuity policy. CC ID 14233 [People in management and other relevant leadership positions demonstrate leadership and commitment to this issue by encouraging employees to actively contribute to the effectiveness of continuity and emergency management. BCM-01 ¶ 2] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include the scope in the business continuity policy. CC ID 14231 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include roles and responsibilities in the business continuity policy. CC ID 14190 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Disseminate and communicate the business continuity policy to interested personnel and affected parties. CC ID 14198 | Operational and Systems Continuity | Communicate | |
| Include the purpose in the business continuity policy. CC ID 14188 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish, implement, and maintain a business continuity testing policy. CC ID 13235 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include testing cycles and test scope in the business continuity testing policy. CC ID 13236 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include documentation requirements in the business continuity testing policy. CC ID 14377 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include reporting requirements in the business continuity testing policy. CC ID 14397 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include test requirements for crisis management in the business continuity testing policy. CC ID 13240 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include test requirements for support functions in the business continuity testing policy. CC ID 13239 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include test requirements for business lines, as necessary, in the business continuity testing policy. CC ID 13238 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include test requirements for the business continuity function in the business continuity testing policy. CC ID 13237 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Address all documentation requirements of the Business Continuity Plan testing program in the business continuity testing strategy. CC ID 13257 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include data recovery in the business continuity testing strategy. CC ID 13262 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include testing critical applications in the business continuity testing strategy. CC ID 13261 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include reconciling transaction data in the business continuity testing strategy. CC ID 13260 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include addressing telecommunications circuit diversity in the business continuity testing strategy. CC ID 13252 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish and maintain the scope of the continuity framework. CC ID 11908 [{take into account} Business continuity plans and contingency plans take the following aspects into account: Defined purpose and scope with consideration of the relevant dependencies; BCM-03 ¶ 2 Bullet 1] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include network security in the scope of the continuity framework. CC ID 16327 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Refrain from including exclusions that could affect business continuity. CC ID 12740 | Operational and Systems Continuity | Records Management | |
| Include business functions in the scope of the continuity framework. CC ID 12699 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include affected party’s needs and interests in the scope of the continuity framework. CC ID 12698 | Operational and Systems Continuity | Systems Continuity | |
| Establish, implement, and maintain a shelter in place plan. CC ID 16260 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Designate safe rooms in the shelter in place plan. CC ID 16276 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Define the executive vision of the continuity planning process. CC ID 01243 [Based on the business impact analysis, a single framework for operational continuity and business plan planning will be implemented, documented and enforced to ensure that all plans are consistent. Planning is based on established standards, which are documented in a "Statement of Applicability". BCM-03 ¶ 1] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish, implement, and maintain continuity roles and responsibilities. CC ID 00733 [The top management (or a member of the top management) of the Cloud Service Provider is named as the process owner of business continuity and emergency management and is responsible for establishing the process within the company as well as ensuring compliance with the guidelines. They must ensure that sufficient resources are made available for an effective process. BCM-01 ¶ 1 Exit strategies are aligned with operational continuity plans and include the following aspects: Definition and allocation of roles, responsibilities and sufficient resources to perform the activities for a transition; SSO-05 ¶ 2 Bullet 2 {take into account} Business continuity plans and contingency plans take the following aspects into account: Ownership by at least one designated person responsible for review, updating and approval; BCM-03 ¶ 2 Bullet 3] | Operational and Systems Continuity | Establish Roles | |
| Coordinate continuity planning with other business units responsible for related plans. CC ID 01386 [The Cloud Service Provider defines guidelines for the classification, prioritisation and escalation of security incidents and creates interfaces to the incident management and business continuity management. SIM-01 ¶ 2 {take into account} Business continuity plans and contingency plans take the following aspects into account: Interfaces to Security Incident Management. BCM-03 ¶ 2 Bullet 8] | Operational and Systems Continuity | Systems Continuity | |
| Disseminate and communicate information regarding disaster relief resources to interested personnel and affected parties. CC ID 16573 | Operational and Systems Continuity | Communicate | |
| Establish, implement, and maintain a continuity plan. CC ID 00752 [{take into account} {come into effect} Business continuity plans and contingency plans take the following aspects into account: Methods for putting the plans into effect; BCM-03 ¶ 2 Bullet 6 {take into account} Business continuity plans and contingency plans take the following aspects into account: Continuous process improvement; and BCM-03 ¶ 2 Bullet 7 {take into account} {manual mechanism} Business continuity plans and contingency plans take the following aspects into account: Recovery procedures, manual interim solutions and reference information (taking into account prioritisation in the recovery of cloud infrastructure components and services and alignment with customers); BCM-03 ¶ 2 Bullet 5 The business impact analysis, business continuity plans and contingency plans are reviewed, updated and tested on a regular basis (at least annually) or after significant organisational or environmental changes. Tests involve affected customers (tenants) and relevant third parties. The tests are documented and results are taken into account for future operational continuity measures. BCM-04 ¶ 1] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Identify all stakeholders in the continuity plan. CC ID 13256 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Notify interested personnel and affected parties upon activation of the continuity plan. CC ID 16777 | Operational and Systems Continuity | Communicate | |
| Lead or manage business continuity and system continuity, as necessary. CC ID 12240 | Operational and Systems Continuity | Human Resources Management | |
| Include a business continuity testing policy in the continuity plan, as necessary. CC ID 13234 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Allocate financial resources to implement the continuity plan, as necessary. CC ID 12993 [Policies and instructions to determine the impact of any malfunction to the cloud service or enterprise are documented, communicated and made available in accordance with SP-01. The following aspects are considered as minimum: Estimation of the resources needed for resumption. BCM-02 ¶ 1 Bullet 10 The top management (or a member of the top management) of the Cloud Service Provider is named as the process owner of business continuity and emergency management and is responsible for establishing the process within the company as well as ensuring compliance with the guidelines. They must ensure that sufficient resources are made available for an effective process. BCM-01 ¶ 1] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Allocate personnel to implement the continuity plan, as necessary. CC ID 12992 | Operational and Systems Continuity | Human Resources Management | |
| Include the in scope system's location in the continuity plan. CC ID 16246 | Operational and Systems Continuity | Systems Continuity | |
| Include the system description in the continuity plan. CC ID 16241 | Operational and Systems Continuity | Systems Continuity | |
| Establish, implement, and maintain redundant systems. CC ID 16354 | Operational and Systems Continuity | Configuration | |
| Include identification procedures in the continuity plan, as necessary. CC ID 14372 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include tolerance levels in the continuity plan. CC ID 17305 | Operational and Systems Continuity | Systems Continuity | |
| Include roles and responsibilities in the continuity plan, as necessary. CC ID 13254 [{take into account} Business continuity plans and contingency plans take the following aspects into account: Defined communication channels, roles and responsibilities including notification of the customer; BCM-03 ¶ 2 Bullet 4] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Coordinate continuity planning with governmental entities, as necessary. CC ID 13258 | Operational and Systems Continuity | Process or Activity | |
| Coordinate continuity planning with community organizations, as necessary. CC ID 13259 | Operational and Systems Continuity | Process or Activity | |
| Coordinate and incorporate supply chain members' continuity plans, as necessary. CC ID 13242 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include incident management procedures in the continuity plan. CC ID 13244 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include the use of virtual meeting tools in the continuity plan. CC ID 14390 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include the roles and responsibilities of the organization's legal counsel in the continuity plan. CC ID 16233 | Operational and Systems Continuity | Establish Roles | |
| Disseminate and communicate the continuity procedures to interested personnel and affected parties. CC ID 14055 | Operational and Systems Continuity | Communicate | |
| Document the uninterrupted power requirements for all in scope systems. CC ID 06707 [{power supply facility} {emergency power solution} Measures to prevent the failure of the technical supply facilities required for the operation of system components with which information from cloud customers is processed, are documented and set up in accordance with the security requirements of the Cloud Service Provider (cf. PS-01 Security Concept) with respect to the following aspects: Use of appropriately sized uninterruptible power supplies (UPS) and emergency power systems (NEA), designed to ensure that all data remains undamaged in the event of a power failure. The functionality of UPS and NEA is checked at least annually by suitable tests and exercises (cf. BCM-04 – Verification, updating and testing of business continuity). PS-06 ¶ 1(b)] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Install an Uninterruptible Power Supply sized to support all critical systems. CC ID 00725 [The security requirements for data centres are based on criteria which comply with established rules of technology. They are suitable for addressing the following risks in accordance with the applicable legal and contractual requirements: Power failure; and PS-01 ¶ 2 Bullet 7] | Operational and Systems Continuity | Configuration | |
| Install a generator sized to support the facility. CC ID 06709 | Operational and Systems Continuity | Configuration | |
| Establish, implement, and maintain a fuel supply large enough to support the generators during an emergency. CC ID 06376 | Operational and Systems Continuity | Acquisition/Sale of Assets or Services | |
| Include notifications to alternate facilities in the continuity plan. CC ID 13220 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish, implement, and maintain a recovery plan. CC ID 13288 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include procedures to restore system interconnections in the recovery plan. CC ID 17100 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include procedures to restore network connectivity in the recovery plan. CC ID 16250 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include addressing backup failures in the recovery plan. CC ID 13298 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include voltage and frequency requirements in the recovery plan. CC ID 17098 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include procedures to verify completion of the data backup procedure in the recovery plan. CC ID 13297 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include the roles and responsibilities of responders in the recovery plan. CC ID 13296 | Operational and Systems Continuity | Human Resources Management | |
| Include the procedures for the storage of information necessary to recover functionality in the recovery plan. CC ID 13295 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include the backup procedures for information necessary to recover functionality in the recovery plan. CC ID 13294 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include the criteria for activation in the recovery plan. CC ID 13293 [The Cloud Service Provider provides subject matter experts of the cloud customers with comprehensible and transparent information on the following recovery parameters of the cloud service, if required: Recovery time to start emergency operation BC-03 ¶ 1 Bullet 3] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include escalation procedures in the recovery plan. CC ID 16248 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include procedures to preserve data before beginning the recovery process in the recovery plan. CC ID 13292 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Disseminate and communicate the recovery plan to interested personnel and affected parties. CC ID 14859 [{data recovery} Policies and instructions for data backup and recovery are documented, communicated and provided in accordance with SP-01 regarding the following aspects. OPS-06 ¶ 1] | Operational and Systems Continuity | Communicate | |
| Include restoration procedures in the continuity plan. CC ID 01169 [Policies and instructions to determine the impact of any malfunction to the cloud service or enterprise are documented, communicated and made available in accordance with SP-01. The following aspects are considered as minimum: Identification of restoration priorities; BCM-02 ¶ 1 Bullet 7] | Operational and Systems Continuity | Establish Roles | |
| Include the recovery plan in the continuity plan. CC ID 01377 [{take into account} {manual mechanism} Business continuity plans and contingency plans take the following aspects into account: Recovery procedures, manual interim solutions and reference information (taking into account prioritisation in the recovery of cloud infrastructure components and services and alignment with customers); BCM-03 ¶ 2 Bullet 5] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Disseminate and communicate business functions across multiple facilities separated by geographic separation. CC ID 10662 | Operational and Systems Continuity | Systems Continuity | |
| Disseminate and communicate continuity requirements to interested personnel and affected parties. CC ID 17045 | Operational and Systems Continuity | Communicate | |
| Establish, implement, and maintain organizational facility continuity plans. CC ID 02224 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Identify and document critical facilities. CC ID 17304 | Operational and Systems Continuity | Systems Continuity | |
| Install and maintain redundant power supplies for critical facilities. CC ID 06355 [{power supply facility} Measures to prevent the failure of the technical supply facilities required for the operation of system components with which information from cloud customers is processed, are documented and set up in accordance with the security requirements of the Cloud Service Provider (cf. PS-01 Security Concept) with respect to the following aspects: PS-06 ¶ 1 {power supply} Measures to prevent the failure of the technical supply facilities required for the operation of system components with which information from cloud customers is processed, are documented and set up in accordance with the security requirements of the Cloud Service Provider (cf. PS-01 Security Concept) with respect to the following aspects: Operational redundancy (N+1) in power and cooling supply PS-06 ¶ 1(a) Uninterruptible Power Supplies (UPS) and Emergency Power Supplies (NPS) are designed to meet the availability requirements defined in the Service Level Agreement. PS-06 ¶ 2] | Operational and Systems Continuity | Configuration | |
| Install and maintain Emergency Power Supply shutdown devices or Emergency Power Supply shutdown switches. CC ID 01439 | Operational and Systems Continuity | Physical and Environmental Protection | |
| Install and maintain dedicated power lines to critical facilities. CC ID 06357 | Operational and Systems Continuity | Physical and Environmental Protection | |
| Run primary power lines and secondary power lines via diverse path feeds to organizational facilities, as necessary. CC ID 06696 | Operational and Systems Continuity | Configuration | |
| Install electro-magnetic shielding around all electrical cabling. CC ID 06358 | Operational and Systems Continuity | Physical and Environmental Protection | |
| Install electrical grounding equipment. CC ID 06359 | Operational and Systems Continuity | Physical and Environmental Protection | |
| Establish, implement, and maintain system continuity plan strategies. CC ID 00735 [Prevent unauthorised physical access and protect against theft, damage, loss and outage of operations. Section 5.5 Objective] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include emergency operating procedures in the continuity plan. CC ID 11694 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include load-shedding in the emergency operating procedures. CC ID 17133 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include redispatch of generation requests in the emergency operating procedures. CC ID 17132 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include transmission system reconfiguration in the emergency operating procedures. CC ID 17130 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include outages in the emergency operating procedures. CC ID 17129 [{exceptional circumstance} {maximum tolerable downtime} The security requirements include time constraints for self-sufficient operation in the event of exceptional events (e.g. prolonged power outage, heat waves, low water in cold river water supply) and maximum tolerable utility downtime. PS-01 ¶ 5] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include energy resource management in the emergency operating procedures. CC ID 17128 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Document the mean time to failure for system components. CC ID 10684 [The time limits for self-sufficient operation provide for at least 48 hours in the event of a failure of the external power supply. PS-01 ¶ 6 {exceptional circumstance} {maximum tolerable downtime} The security requirements include time constraints for self-sufficient operation in the event of exceptional events (e.g. prolonged power outage, heat waves, low water in cold river water supply) and maximum tolerable utility downtime. PS-01 ¶ 5] | Operational and Systems Continuity | Systems Continuity | |
| Establish, implement, and maintain Recovery Time Objectives for all in scope services. CC ID 12241 [In contractual agreements (e.g. service description), the Cloud Service Provider provides comprehensible, binding and transparent information on: Recovery time (time elapsed until the incident has been resolved); and BC-02 ¶ 1 Bullet 4 The Cloud Service Provider provides subject matter experts of the cloud customers with comprehensible and transparent information on the following recovery parameters of the cloud service, if required: Maximum tolerable downtime/Recovery Time Objective (RTO) BC-03 ¶ 1 Bullet 1 The Cloud Service Provider provides subject matter experts of the cloud customers with comprehensible and transparent information on the following recovery parameters of the cloud service, if required: Restore time until normal operation BC-03 ¶ 1 Bullet 5] | Operational and Systems Continuity | Systems Continuity | |
| Establish, implement, and maintain Recovery Point Objectives for all in scope systems. CC ID 15719 [The Cloud Service Provider provides subject matter experts of the cloud customers with comprehensible and transparent information on the following recovery parameters of the cloud service, if required: Maximum allowable data loss/Recovery Point Objective (RPO) BC-03 ¶ 1 Bullet 2 {recovery level objective} The Cloud Service Provider provides subject matter experts of the cloud customers with comprehensible and transparent information on the following recovery parameters of the cloud service, if required: Recovery level (capacity related to regular operation) BC-03 ¶ 1 Bullet 4] | Operational and Systems Continuity | Systems Continuity | |
| Establish, implement, and maintain Recovery Time Objectives for all in scope systems. CC ID 11688 [Internal audits are supplemented by procedures to automatically monitor applicable requirements of policies and instructions with regard to the following aspects: Recovery time (time to completion of error handling); COM-03 ¶ 3 Bullet 4] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Disseminate and communicate critical third party dependencies to interested personnel and affected parties. CC ID 06816 [The communication of changes to the interfaces and dependencies takes place in a timely manner so that the affected organisations and third parties can react appropriately with organisational and technical measures before the changes take effect. OIS-03 ¶ 3 {security requirements} The policies and instructions describe at least the following aspects: Roles and dependencies on other organisations (especially cloud customers and subservice organisations); SP-01 ¶ 3 Bullet 4] | Operational and Systems Continuity | Behavior | |
| Include the capacity of critical resources in the critical resource list. CC ID 17099 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include website continuity procedures in the continuity plan. CC ID 01380 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Separate the alternate facility from the primary facility through geographic separation. CC ID 01394 [{separate} The cloud service is provided from more than two locations that provide each other with redundancy. The locations are sufficiently far apart to achieve georedundancy. If two locations fail at the same time, at least one third location is still available to prevent a total service failure. The georedundancy is designed in a way that ensures that the availability requirements specified in the service level agreement are met. The functionality of the redundancy is checked at least annually by suitable tests and exercises (cf. BCM-04 – Verification, updating and testing of business continuity). PS-02 ¶ 2] | Operational and Systems Continuity | Physical and Environmental Protection | |
| Include technical preparation considerations for backup operations in the continuity plan. CC ID 01250 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include a backup rotation scheme in the backup policy. CC ID 16219 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include naming conventions in the backup policy. CC ID 16218 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish, implement, and maintain backup procedures for in scope systems. CC ID 01258 | Operational and Systems Continuity | Systems Continuity | |
| Document the backup method and backup frequency on a case-by-case basis in the backup procedures. CC ID 01384 [Policies and instructions for data backup and recovery are documented, communicated and provided in accordance with SP-01 regarding the following aspects. The extent and frequency of data backups and the duration of data retention are consistent with the contractual agreements with the cloud customers and the Cloud Service Provider's operational continuity requirements for Recovery Time Objective (RTO) and Recovery Point Objective (RPO); OPS-06 ¶ 1 Bullet 1] | Operational and Systems Continuity | Systems Continuity | |
| Disseminate and communicate the backup procedures to interested personnel and affected parties. CC ID 17271 [{data recovery} Policies and instructions for data backup and recovery are documented, communicated and provided in accordance with SP-01 regarding the following aspects. OPS-06 ¶ 1] | Operational and Systems Continuity | Communicate | |
| Transport backup media in lockable electronic media storage containers. CC ID 01264 [{physical security measure} {be the same} The Cloud Service Provider transfers data to be backed up to a remote location or transports these on backup media to a remote location. If the data backup is transmitted to the remote location via a network, the data backup or the transmission of the data takes place in an encrypted form that corresponds to the state-of-the-art. The distance to the main site is chosen after sufficient consideration of the factors recovery times and impact of disasters on both sites. The physical and environmental security measures at the remote site are at the same level as at the main site. OPS-09 ¶ 1] | Operational and Systems Continuity | Data and Information Management | |
| Store backup media in a fire-rated container which is not collocated with the operational system. CC ID 14289 | Operational and Systems Continuity | Systems Continuity | |
| Identify the access methods for backup media at both the primary facility and the off-site electronic media storage facility. CC ID 01257 [Policies and instructions for data backup and recovery are documented, communicated and provided in accordance with SP-01 regarding the following aspects. Access to the backed-up data and the execution of restores is performed only by authorised persons; and OPS-06 ¶ 1 Bullet 3] | Operational and Systems Continuity | Data and Information Management | |
| Establish, implement, and maintain security controls to protect offsite data. CC ID 16259 | Operational and Systems Continuity | Data and Information Management | |
| Perform backup procedures for in scope systems. CC ID 11692 [Interfaces are available to conduct forensic analyses and perform backups of infrastructure components and their network communication. OPS-15 ¶ 2 Interfaces are available to conduct forensic analyses and perform backups of infrastructure components and their network communication. OPS-15 ¶ 2] | Operational and Systems Continuity | Process or Activity | |
| Perform full backups in accordance with organizational standards. CC ID 16376 | Operational and Systems Continuity | Data and Information Management | |
| Perform incremental backups in accordance with organizational standards. CC ID 16375 | Operational and Systems Continuity | Data and Information Management | |
| Use virtual machine snapshots for full backups and changed block tracking (CBT) for incremental backups. CC ID 16374 | Operational and Systems Continuity | Data and Information Management | |
| Encrypt backup data. CC ID 00958 [{encrypted format} Policies and instructions for data backup and recovery are documented, communicated and provided in accordance with SP-01 regarding the following aspects. Data is backed up in encrypted, state-of-the- art form; OPS-06 ¶ 1 Bullet 2 {physical security measure} {be the same} The Cloud Service Provider transfers data to be backed up to a remote location or transports these on backup media to a remote location. If the data backup is transmitted to the remote location via a network, the data backup or the transmission of the data takes place in an encrypted form that corresponds to the state-of-the-art. The distance to the main site is chosen after sufficient consideration of the factors recovery times and impact of disasters on both sites. The physical and environmental security measures at the remote site are at the same level as at the main site. OPS-09 ¶ 1] | Operational and Systems Continuity | Configuration | |
| Include emergency communications procedures in the continuity plan. CC ID 00750 [{take into account} Business continuity plans and contingency plans take the following aspects into account: Defined communication channels, roles and responsibilities including notification of the customer; BCM-03 ¶ 2 Bullet 4] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Determine the adequacy of insurance coverage for assets in the organization's insurance policy. CC ID 14827 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Determine the adequacy of insurance coverage for Information Technology assets in the organization's insurance policy. CC ID 13279 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Determine the adequacy of insurance coverage for facilities in the organization's insurance policy. CC ID 13280 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Determine the adequacy of insurance coverage for printed records in the organization's insurance policy. CC ID 13278 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Disseminate and communicate the business continuity program to interested personnel and affected parties. CC ID 17080 | Operational and Systems Continuity | Communicate | |
| Disseminate and communicate the continuity plan to interested personnel and affected parties. CC ID 00760 [{take into account} Business continuity plans and contingency plans take the following aspects into account: Accessibility and comprehensibility of the plans for persons who are to act accordingly; BCM-03 ¶ 2 Bullet 2] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish, implement, and maintain Service Level Agreements for all alternate facilities. CC ID 00745 [If the Cloud Service Provider uses premises or buildings operated by third parties to provide the Cloud Service, the document describes which security requirements the Cloud Service Provider places on these third parties. PS-01 ¶ 3] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include alert processes in Service Level Agreements for alternate facilities. CC ID 17127 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include monitoring and logging processes in Service Level Agreements for alternate facilities. CC ID 17126 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include recovery time in Service Level Agreements for all alternate facilities. CC ID 16331 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include priority-of-service provisions in Service Level Agreements for all alternate facilities. CC ID 16330 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include backup media transportation in Service Level Agreements for alternate facilities. CC ID 16329 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include transportation services in Service Level Agreements for alternate facilities. CC ID 16328 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Configure the alternate facility to meet the least needed operational capabilities. CC ID 01395 [The cloud service is provided from two locations that are redundant to each other. The locations meet the security requirements of the Cloud Service Provider (cf. PS-01 Security Concept) and are located in an adequate distance to each other to achieve operational redundancy. Operational redundancy is designed in a way that ensures that the availability requirements specified in the service level agreement are met. The functionality of the redundancy is checked at least annually by suitable tests and exercises (cf. BCM-04 – Verification, updating and testing of business continuity). PS-02 ¶ 1 {separate} The cloud service is provided from more than two locations that provide each other with redundancy. The locations are sufficiently far apart to achieve georedundancy. If two locations fail at the same time, at least one third location is still available to prevent a total service failure. The georedundancy is designed in a way that ensures that the availability requirements specified in the service level agreement are met. The functionality of the redundancy is checked at least annually by suitable tests and exercises (cf. BCM-04 – Verification, updating and testing of business continuity). PS-02 ¶ 2 {physical security measure} {be the same} The Cloud Service Provider transfers data to be backed up to a remote location or transports these on backup media to a remote location. If the data backup is transmitted to the remote location via a network, the data backup or the transmission of the data takes place in an encrypted form that corresponds to the state-of-the-art. The distance to the main site is chosen after sufficient consideration of the factors recovery times and impact of disasters on both sites. The physical and environmental security measures at the remote site are at the same level as at the main site. OPS-09 ¶ 1] | Operational and Systems Continuity | Configuration | |
| Train personnel on the continuity plan. CC ID 00759 [{take into account} Business continuity plans and contingency plans take the following aspects into account: Accessibility and comprehensibility of the plans for persons who are to act accordingly; BCM-03 ¶ 2 Bullet 2] | Operational and Systems Continuity | Behavior | |
| Include coordination and interfaces among third parties in continuity plan training. CC ID 17102 | Operational and Systems Continuity | Training | |
| Include cross-team coordination in continuity plan training. CC ID 16235 | Operational and Systems Continuity | Training | |
| Include stay at home order training in the continuity plan training. CC ID 14382 | Operational and Systems Continuity | Training | |
| Include avoiding unnecessary travel in the stay at home order training. CC ID 14388 | Operational and Systems Continuity | Training | |
| Include personal protection in continuity plan training. CC ID 14394 | Operational and Systems Continuity | Training | |
| Establish, implement, and maintain a business continuity plan testing program. CC ID 14829 | Operational and Systems Continuity | Testing | |
| Establish, implement, and maintain a continuity test plan. CC ID 04896 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include recovery procedures in the continuity test plan. CC ID 14876 [At the customer's request, the Cloud Service Provider inform the cloud customer of the results of the recovery tests. Recovery tests are embedded in the Cloud Service Provider's emergency management. OPS-08 ¶ 3] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include the coordination and interfaces among third parties in the coverage of the scope of testing the continuity plan. CC ID 12769 [The business impact analysis, business continuity plans and contingency plans are reviewed, updated and tested on a regular basis (at least annually) or after significant organisational or environmental changes. Tests involve affected customers (tenants) and relevant third parties. The tests are documented and results are taken into account for future operational continuity measures. BCM-04 ¶ 1] | Operational and Systems Continuity | Testing | |
| Document the continuity plan test results and provide them to interested personnel and affected parties. CC ID 06548 [The business impact analysis, business continuity plans and contingency plans are reviewed, updated and tested on a regular basis (at least annually) or after significant organisational or environmental changes. Tests involve affected customers (tenants) and relevant third parties. The tests are documented and results are taken into account for future operational continuity measures. BCM-04 ¶ 1] | Operational and Systems Continuity | Actionable Reports or Measurements | |
| Address identified deficiencies in the continuity plan test results. CC ID 17209 [The business impact analysis, business continuity plans and contingency plans are reviewed, updated and tested on a regular basis (at least annually) or after significant organisational or environmental changes. Tests involve affected customers (tenants) and relevant third parties. The tests are documented and results are taken into account for future operational continuity measures. BCM-04 ¶ 1] | Operational and Systems Continuity | Testing | |
| Notify interested personnel and affected parties of the time requirements for updating continuity plans. CC ID 17134 | Operational and Systems Continuity | Communicate | |
| Approve the continuity plan test results. CC ID 15718 | Operational and Systems Continuity | Systems Continuity | |
| Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806 | Human Resources management | Establish Roles | |
| Define and assign the Board of Directors roles and responsibilities and senior management roles and responsibilities, including signing off on key policies and procedures. CC ID 00807 | Human Resources management | Establish Roles | |
| Assign ownership of risks to the Board of Directors or senior management. CC ID 13662 [Policies and instructions for risk management procedures are documented, communicated and provided in accordance with SP-01 for the following aspects: Identification of risks associated with the loss of confidentiality, integrity, availability and authenticity of information within the scope of the ISMS and assigning risk owners; OIS-06 ¶ 1 Bullet 1] | Human Resources management | Human Resources Management | |
| Define and assign workforce roles and responsibilities. CC ID 13267 [The Cloud Service Provider informs employees and external business partners of their obligations. If necessary, they agree to or are contractually obliged to report all security events that become known to them and are directly related to the cloud service provided by the Cloud Service Provider to a previously designated central office of the Cloud Service Provider promptly. SIM-04 ¶ 1] | Human Resources management | Human Resources Management | |
| Establish, implement, and maintain cybersecurity roles and responsibilities. CC ID 13201 | Human Resources management | Human Resources Management | |
| Document the use of external experts. CC ID 16263 | Human Resources management | Human Resources Management | |
| Define and assign roles and responsibilities for the biometric system. CC ID 17004 | Human Resources management | Human Resources Management | |
| Define and assign roles and responsibilities for those involved in risk management. CC ID 13660 | Human Resources management | Human Resources Management | |
| Include the management structure in the duties and responsibilities for risk management. CC ID 13665 | Human Resources management | Human Resources Management | |
| Assign the roles and responsibilities for the change control program. CC ID 13118 | Human Resources management | Human Resources Management | |
| Assign cybersecurity reporting responsibilities to qualified personnel. CC ID 12739 | Human Resources management | Establish Roles | |
| Assign the role of security leader to keep up to date on the latest threats. CC ID 12112 | Human Resources management | Human Resources Management | |
| Define and assign the data processor's roles and responsibilities. CC ID 12607 | Human Resources management | Human Resources Management | |
| Assign the roles and responsibilities for the asset management system. CC ID 14368 | Human Resources management | Establish/Maintain Documentation | |
| Define and assign the roles and responsibilities of security guards. CC ID 12543 | Human Resources management | Human Resources Management | |
| Define and assign the roles for Legal Support Workers. CC ID 13711 | Human Resources management | Human Resources Management | |
| Establish, implement, and maintain a personnel management program. CC ID 14018 | Human Resources management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a succession plan for organizational leaders and support personnel. CC ID 11822 [{security requirements} The policies and instructions describe at least the following aspects: Roles and responsibilities, including staff qualification requirements and the establishment of substitution rules; SP-01 ¶ 3 Bullet 3] | Human Resources management | Human Resources Management | |
| Establish, implement, and maintain onboarding procedures for new hires. CC ID 11760 | Human Resources management | Establish/Maintain Documentation | |
| Require all new hires to sign Acceptable Use Policies. CC ID 06662 [The Cloud Service Provider's internal and external employees are provably committed to the policies and instructions for acceptable use and safe handling of assets before they can be used if the Cloud Service Provider has determined in a risk assessment that loss or unauthorised access could compromise the information security of the Cloud Service. AM-05 ¶ 1] | Human Resources management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a personnel security program. CC ID 10628 | Human Resources management | Establish/Maintain Documentation | |
| Assign personnel screening procedures to qualified personnel. CC ID 11699 | Human Resources management | Establish Roles | |
| Establish, implement, and maintain personnel screening procedures. CC ID 11700 | Human Resources management | Establish/Maintain Documentation | |
| Perform a criminal records check during personnel screening. CC ID 06643 [{competency} {integrity} To the extent permitted by law, the review will cover the following areas: Request of a police clearance certificate for applicants; HR-01 ¶ 2 Bullet 4] | Human Resources management | Establish/Maintain Documentation | |
| Include all residences in the criminal records check. CC ID 13306 | Human Resources management | Process or Activity | |
| Document any reasons a full criminal records check could not be performed. CC ID 13305 | Human Resources management | Establish/Maintain Documentation | |
| Perform a personal references check during personnel screening. CC ID 06645 [{competency} {integrity} To the extent permitted by law, the review will cover the following areas: Certificate of good conduct or national equivalent; and HR-01 ¶ 2 Bullet 5] | Human Resources management | Human Resources Management | |
| Perform an academic records check during personnel screening. CC ID 06647 [{competency} {integrity} To the extent permitted by law, the review will cover the following areas: Verification of academic titles and degrees; HR-01 ¶ 2 Bullet 3] | Human Resources management | Establish/Maintain Documentation | |
| Perform a curriculum vitae check during personnel screening. CC ID 06660 [{competency} {integrity} To the extent permitted by law, the review will cover the following areas: Verification of the CV; HR-01 ¶ 2 Bullet 2] | Human Resources management | Human Resources Management | |
| Disseminate and communicate screening results to interested personnel and affected parties. CC ID 16445 | Human Resources management | Communicate | |
| Disseminate and communicate personnel screening procedures to interested personnel and affected parties. CC ID 16977 | Human Resources management | Communicate | |
| Establish, implement, and maintain personnel status change and termination procedures. CC ID 06549 [Ensure that employees understand their responsibilities, are aware of their responsibilities with regard to information security, and that the organisation's assets are protected in the event of changes in responsibilities or termination. Section 5.3 Objective] | Human Resources management | Establish/Maintain Documentation | |
| Assign an owner of the personnel status change and termination procedures. CC ID 11805 | Human Resources management | Human Resources Management | |
| Notify the security manager, in writing, prior to an employee's job change. CC ID 12283 | Human Resources management | Human Resources Management | |
| Enforce the information security responsibilities and duties that remain valid after termination or change of employment. CC ID 11992 [{duration} Internal and external employees have been informed about which responsibilities, arising from employment terms and conditions relating to information security, will remain in place when their employment is terminated or changed and for how long. HR-05 ¶ 1] | Human Resources management | Human Resources Management | |
| Conduct exit interviews upon termination of employment. CC ID 14290 | Human Resources management | Human Resources Management | |
| Train all personnel and third parties, as necessary. CC ID 00785 [The Cloud Service Provider operates a target group-oriented security awareness and training program, which is completed by all internal and external employees of the Cloud Service Provider on a regular basis. The program is regularly updated based on changes to policies and instructions and the current threat situation and includes the following aspects: HR-03 ¶ 1] | Human Resources management | Behavior | |
| Provide new hires limited network access to complete computer-based training. CC ID 17008 | Human Resources management | Training | |
| Include evidence of experience in applications for professional certification. CC ID 16193 | Human Resources management | Establish/Maintain Documentation | |
| Include supporting documentation in applications for professional certification. CC ID 16195 | Human Resources management | Establish/Maintain Documentation | |
| Submit applications for professional certification. CC ID 16192 | Human Resources management | Training | |
| Hire third parties to conduct training, as necessary. CC ID 13167 | Human Resources management | Human Resources Management | |
| Establish, implement, and maintain training plans. CC ID 00828 | Human Resources management | Establish/Maintain Documentation | |
| Approve training plans, as necessary. CC ID 17193 | Human Resources management | Training | |
| Include prevention techniques in training regarding diseases or sicknesses. CC ID 14387 | Human Resources management | Training | |
| Include the concept of disease clusters when training to recognize conditions of diseases or sicknesses. CC ID 14386 | Human Resources management | Training | |
| Establish, implement, and maintain a list of tasks to include in the training plan. CC ID 17101 | Human Resources management | Training | |
| Designate training facilities in the training plan. CC ID 16200 | Human Resources management | Training | |
| Include portions of the visitor control program in the training plan. CC ID 13287 | Human Resources management | Establish/Maintain Documentation | |
| Include insider threats in the security awareness program. CC ID 16963 | Human Resources management | Training | |
| Conduct personal data processing training. CC ID 13757 | Human Resources management | Training | |
| Include in personal data processing training how to provide the contact information for the categories of personal data the organization may disclose. CC ID 13758 | Human Resources management | Training | |
| Include cloud security in the security awareness program. CC ID 13039 [The Cloud Service Provider operates a target group-oriented security awareness and training program, which is completed by all internal and external employees of the Cloud Service Provider on a regular basis. The program is regularly updated based on changes to policies and instructions and the current threat situation and includes the following aspects: Handling system components used to provide the cloud service in the production environment in accordance with applicable policies and procedures; HR-03 ¶ 1 Bullet 1] | Human Resources management | Training | |
| Establish, implement, and maintain a security awareness program. CC ID 11746 [{security awareness and training program} {quantitative factor} {qualitative factor} The learning outcomes achieved through the awareness and training programme are measured and evaluated in a target group-oriented manner. The measurements cover quantitative and qualitative aspects. The results are used to improve the awareness and training programme. HR-03 ¶ 2 The Cloud Service Provider operates a target group-oriented security awareness and training program, which is completed by all internal and external employees of the Cloud Service Provider on a regular basis. The program is regularly updated based on changes to policies and instructions and the current threat situation and includes the following aspects: HR-03 ¶ 1 The Cloud Service Provider provides a training program for regular, target group-oriented security training and awareness for internal and external employees on standards and methods of secure software development and provision as well as on how to use the tools used for this purpose. The program is regularly reviewed and updated with regard to the applicable policies and instructions, the assigned roles and responsibilities and the tools used. DEV-04 ¶ 1 Policies and instructions for controlling and monitoring third parties (e.g. service providers or suppliers) whose services contribute to the provision of the cloud service are documented, communicated and provided in accordance with SP-01 with respect to the following aspects: Information security awareness and training requirements for staff; SSO-01 ¶ 1 Bullet 4] | Human Resources management | Establish/Maintain Documentation | |
| Complete security awareness training prior to being granted access to information systems or data. CC ID 17009 | Human Resources management | Training | |
| Establish, implement, and maintain a security awareness and training policy. CC ID 14022 | Human Resources management | Establish/Maintain Documentation | |
| Include compliance requirements in the security awareness and training policy. CC ID 14092 | Human Resources management | Establish/Maintain Documentation | |
| Include coordination amongst entities in the security awareness and training policy. CC ID 14091 | Human Resources management | Establish/Maintain Documentation | |
| Establish, implement, and maintain security awareness and training procedures. CC ID 14054 | Human Resources management | Establish/Maintain Documentation | |
| Disseminate and communicate the security awareness and training procedures to interested personnel and affected parties. CC ID 14138 | Human Resources management | Communicate | |
| Include management commitment in the security awareness and training policy. CC ID 14049 | Human Resources management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the security awareness and training policy. CC ID 14048 [The Cloud Service Provider provides a training program for regular, target group-oriented security training and awareness for internal and external employees on standards and methods of secure software development and provision as well as on how to use the tools used for this purpose. The program is regularly reviewed and updated with regard to the applicable policies and instructions, the assigned roles and responsibilities and the tools used. DEV-04 ¶ 1] | Human Resources management | Establish/Maintain Documentation | |
| Include the scope in the security awareness and training policy. CC ID 14047 [The Cloud Service Provider provides a training program for regular, target group-oriented security training and awareness for internal and external employees on standards and methods of secure software development and provision as well as on how to use the tools used for this purpose. The program is regularly reviewed and updated with regard to the applicable policies and instructions, the assigned roles and responsibilities and the tools used. DEV-04 ¶ 1] | Human Resources management | Establish/Maintain Documentation | |
| Include the purpose in the security awareness and training policy. CC ID 14045 | Human Resources management | Establish/Maintain Documentation | |
| Include configuration management procedures in the security awareness program. CC ID 13967 | Human Resources management | Establish/Maintain Documentation | |
| Include media protection in the security awareness program. CC ID 16368 | Human Resources management | Training | |
| Document security awareness requirements. CC ID 12146 | Human Resources management | Establish/Maintain Documentation | |
| Include identity and access management in the security awareness program. CC ID 17013 | Human Resources management | Training | |
| Include the encryption process in the security awareness program. CC ID 17014 | Human Resources management | Training | |
| Include physical security in the security awareness program. CC ID 16369 | Human Resources management | Training | |
| Include data management in the security awareness program. CC ID 17010 [The Cloud Service Provider operates a target group-oriented security awareness and training program, which is completed by all internal and external employees of the Cloud Service Provider on a regular basis. The program is regularly updated based on changes to policies and instructions and the current threat situation and includes the following aspects: Handling cloud customer data in accordance with applicable policies and instructions and applicable legal and regulatory requirements; HR-03 ¶ 1 Bullet 2] | Human Resources management | Training | |
| Include e-mail and electronic messaging in the security awareness program. CC ID 17012 | Human Resources management | Training | |
| Include updates on emerging issues in the security awareness program. CC ID 13184 [The Cloud Service Provider operates a target group-oriented security awareness and training program, which is completed by all internal and external employees of the Cloud Service Provider on a regular basis. The program is regularly updated based on changes to policies and instructions and the current threat situation and includes the following aspects: Information about the current threat situation; and HR-03 ¶ 1 Bullet 3 The Cloud Service Provider operates a target group-oriented security awareness and training program, which is completed by all internal and external employees of the Cloud Service Provider on a regular basis. The program is regularly updated based on changes to policies and instructions and the current threat situation and includes the following aspects: HR-03 ¶ 1] | Human Resources management | Training | |
| Include cybersecurity in the security awareness program. CC ID 13183 | Human Resources management | Training | |
| Include implications of non-compliance in the security awareness program. CC ID 16425 | Human Resources management | Training | |
| Include social networking in the security awareness program. CC ID 17011 | Human Resources management | Training | |
| Include the acceptable use policy in the security awareness program. CC ID 15487 | Human Resources management | Training | |
| Include a requirement to train all new hires and interested personnel in the security awareness program. CC ID 11800 | Human Resources management | Establish/Maintain Documentation | |
| Include remote access in the security awareness program. CC ID 13892 | Human Resources management | Establish/Maintain Documentation | |
| Document the goals of the security awareness program. CC ID 12145 | Human Resources management | Establish/Maintain Documentation | |
| Compare current security awareness assessment reports to the security awareness baseline. CC ID 12150 [{security awareness and training program} {quantitative factor} {qualitative factor} The learning outcomes achieved through the awareness and training programme are measured and evaluated in a target group-oriented manner. The measurements cover quantitative and qualitative aspects. The results are used to improve the awareness and training programme. HR-03 ¶ 2] | Human Resources management | Establish/Maintain Documentation | |
| Establish and maintain a steering committee to guide the security awareness program. CC ID 12149 | Human Resources management | Human Resources Management | |
| Document the scope of the security awareness program. CC ID 12148 | Human Resources management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a security awareness baseline. CC ID 12147 | Human Resources management | Establish/Maintain Documentation | |
| Encourage interested personnel to obtain security certification. CC ID 11804 | Human Resources management | Human Resources Management | |
| Train all personnel and third parties on how to recognize and report security incidents. CC ID 01211 [The Cloud Service Provider informs employees and external business partners of their obligations. If necessary, they agree to or are contractually obliged to report all security events that become known to them and are directly related to the cloud service provided by the Cloud Service Provider to a previously designated central office of the Cloud Service Provider promptly. SIM-04 ¶ 1] | Human Resources management | Behavior | |
| Train all personnel and third parties on how to recognize and report system failures. CC ID 13475 | Human Resources management | Training | |
| Require personnel to acknowledge, through writing their signature, that they have read and understand the organization's security policies. CC ID 01363 [The information security policy, and the policies and instructions based on it, are to be acknowledged by the internal and external personnel in a documented form before access is granted to any cloud customer data or system components under the responsibility of the Cloud Service Provider used to provide the cloud service in the production environment. HR-02 ¶ 2 Ensure that employees understand their responsibilities, are aware of their responsibilities with regard to information security, and that the organisation's assets are protected in the event of changes in responsibilities or termination. Section 5.3 Objective] | Human Resources management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an environmental management system awareness program. CC ID 15200 | Human Resources management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a conflict of interest policy. CC ID 14785 [The Cloud Service Provider executes the process for handling risks as needed or at least once a year. The following aspects are taken into account when identifying risks, insofar as they are applicable to the cloud service provided and are within the area of responsibility of the Cloud Service Provider: Conflicting tasks and areas of responsibility that cannot be separated for organisational or technical reasons; and OIS-07 ¶ 1 Bullet 4] | Human Resources management | Establish/Maintain Documentation | |
| Include definitions of conflicts of interest in the conflict of interest policy. CC ID 14792 | Human Resources management | Establish/Maintain Documentation | |
| Include continuous monitoring for conflicts of interest in the conflict of interest policy. CC ID 17190 | Human Resources management | Monitor and Evaluate Occurrences | |
| Submit a conflict of interest declaration to interested personnel and affected parties. CC ID 16194 | Human Resources management | Communicate | |
| Include roles and responsibilities in the conflict of interest policy. CC ID 14790 | Human Resources management | Establish/Maintain Documentation | |
| Include the information security responsibilities of the organization and the individual in the Terms and Conditions of employment. CC ID 12029 [The Cloud Service Provider's internal and external employees are required by the employment terms and conditions to comply with applicable policies and instructions relating to information security. HR-02 ¶ 1] | Human Resources management | Human Resources Management | |
| Establish, implement, and maintain a capacity management plan. CC ID 11751 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a capacity planning baseline. CC ID 13492 [The planning of capacities and resources (personnel and IT resources) follows an established procedure in order to avoid possible capacity bottlenecks. The procedures include forecasting future capacity requirements in order to identify usage trends and manage system overload. OPS-01 ¶ 1] | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain future system capacity forecasting methods. CC ID 01617 [The planning of capacities and resources (personnel and IT resources) follows an established procedure in order to avoid possible capacity bottlenecks. The procedures include forecasting future capacity requirements in order to identify usage trends and manage system overload. OPS-01 ¶ 1 The forecasts are considered in accordance with the service level agreement for planning and preparing the provisioning. OPS-01 ¶ 3 Cloud Service Providers take appropriate measures to ensure that they continue to meet the requirements agreed with cloud customers for the provision of the cloud service in the event of capacity bottlenecks or outages regarding personnel and IT resources, in particular those relating to the dedicated use of system components, in accordance with the respective agreements. OPS-01 ¶ 2] | Operational management | Business Processes | |
| Align critical Information Technology resource availability planning with capacity planning. CC ID 01618 [Ensure proper and regular operation, including appropriate measures for planning and monitoring capacity, protection against malware, logging and monitoring events, and dealing with vulnerabilities, malfunctions and failures. Section 5.6 Objective] | Operational management | Business Processes | |
| Limit any effects of a Denial of Service attack. CC ID 06754 [Based on the results of a risk analysis carried out according to OIS-06, the Cloud Service Provider has implemented technical safeguards which are suitable to promptly detect and respond to network-based attacks on the basis of irregular incoming or outgoing traffic patterns and/ or Distributed Denial of Service (DDoS) attacks. Data from corresponding technical protection measures implemented is fed into a comprehensive SIEM (Security Information and Event Management) system, so that (counter) measures regarding correlating events can be initiated. The safeguards are documented, communicated and provided in accordance with SP-01. COS-01 ¶ 1] | Operational management | Technical Security | |
| Implement network redundancy, as necessary. CC ID 13048 [The connection to the telecommunications network is designed with sufficient redundancy so that the failure of a telecommunications network does not impair the security or performance of the Cloud Service Provider. PS-06 ¶ 4] | Operational management | Systems Continuity | |
| Manage cloud services. CC ID 13144 [For an attestation engagement, the Cloud Service Provider's service-related system of internal control to meet the C5 criteria shall include the following minimum content in order to provide customers with sufficient transparency about the information security of the cloud service: Policies, procedures and measures, including the controls implemented to provide (develop and operate) the cloud services with respect to the applicable C5 criteria; Section 3.4.4.1 ¶ 1 Bullet 5] | Operational management | Business Processes | |
| Refrain from implementing network elements in a public cloud. CC ID 16382 | Operational management | Technical Security | |
| Protect clients' hosted environments. CC ID 11862 | Operational management | Physical and Environmental Protection | |
| Notify interested personnel and affected parties of the geographic locations of the cloud service organization and its assets. CC ID 13037 [In the system description and the contractual agreements (e.g. service description), the Cloud Service Provider clearly provides comprehensible and transparent information on: System component locations, including its subcontractors, where the cloud customer's data is processed, stored and backed up. BC-01 ¶ 1 Bullet 2] | Operational management | Communicate | |
| Establish, implement, and maintain cloud service agreements. CC ID 13157 [In the system description and the contractual agreements (e.g. service description), the Cloud Service Provider clearly provides comprehensible and transparent information on: Its jurisdiction; and BC-01 ¶ 1 Bullet 1 In the system description and the contractual agreements (e.g. service description), the Cloud Service Provider clearly provides comprehensible and transparent information on: System component locations, including its subcontractors, where the cloud customer's data is processed, stored and backed up. BC-01 ¶ 1 Bullet 2 {technical safeguard} Technical and organisational safeguards for the monitoring and provisioning and de-provisioning of cloud services are defined. Thus, the Cloud Service Provider ensures that resources are provided and/or services are rendered according to the contractual agreements and that compliance with the service level agreements is ensured. OPS-02 ¶ 1 Policies and instructions for the secure handling of metadata (usage data) are documented, communicated and provided according to SP-01 with regard to the following aspects: Provision to cloud customers according to contractual agreements. OPS-11 ¶ 1 Bullet 6 {provision} {data} The design of the aspects is based on legal and regulatory requirements in the environment of the Cloud Service Provider. The Cloud Service Provider identifies the requirements regularly, at least once a year, and checks these for actuality and adjusts the contractual agreements accordingly. PI-02 ¶ 3 The Cloud Service Provider's procedures for deleting the cloud customers' data upon termination of the contractual relationship ensure compliance with the contractual agreements (cf. PI-02). PI-03 ¶ 1 The Cloud Service Provider has established procedures and technical safeguards to encrypt cloud customers' data during storage. The private keys used for encryption are known only to the cloud customer in accordance with applicable legal and regulatory obligations and requirements. Exceptions follow a specified procedure. The procedures for the use of private keys, including any exceptions, must be contractually agreed with the cloud customer. CRY-03 ¶ 1 Policies and instructions for controlling and monitoring third parties (e.g. service providers or suppliers) whose services contribute to the provision of the cloud service are documented, communicated and provided in accordance with SP-01 with respect to the following aspects: Specifications for the contractual agreement of these requirements; SSO-01 ¶ 1 Bullet 7 In contractual agreements, the following aspects are defined with regard to the termination of the contractual relationship, insofar as these are applicable to the cloud service: Type, scope and format of the data the Cloud Service Provider provides to the cloud customer; PI-02 ¶ 1 Bullet 1 {make available} In contractual agreements, the following aspects are defined with regard to the termination of the contractual relationship, insofar as these are applicable to the cloud service: Definition of the timeframe, within which the Cloud Service Provider makes the data available to the cloud customer; PI-02 ¶ 1 Bullet 2 {make inaccessible} In contractual agreements, the following aspects are defined with regard to the termination of the contractual relationship, insofar as these are applicable to the cloud service: Definition of the point in time as of which the Cloud Service Provider makes the data inaccessible to the cloud customer and deletes these; and PI-02 ¶ 1 Bullet 3] | Operational management | Establish/Maintain Documentation | |
| Include data sovereignty requirements in cloud service agreements. CC ID 16931 [{provision} {data} The design of the aspects is based on legal and regulatory requirements in the environment of the Cloud Service Provider. The Cloud Service Provider identifies the requirements regularly, at least once a year, and checks these for actuality and adjusts the contractual agreements accordingly. PI-02 ¶ 3] | Operational management | Establish/Maintain Documentation | |
| Include the asset removal policy in the cloud service agreement. CC ID 13161 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain cloud management procedures. CC ID 13149 [{is able} {specify} {locations} {data processing} {storage} This must be ensured by the cloud architecture. PSS-12 ¶ 2] | Operational management | Technical Security | |
| Establish, implement, and maintain a migration process and/or strategy to transfer systems from one asset to another. CC ID 16384 | Operational management | Process or Activity | |
| Define and enforce the deployment requirements for applications and virtual network devices in a public cloud. CC ID 16383 | Operational management | Process or Activity | |
| Include cloud security requirements in the cloud management procedures. CC ID 16366 [Provide policies and instructions regarding security requirements and to support business requirements. Section 5.2 Objective {information security policy} {legal and regulatory requirements} The review shall consider at least the following aspects: Legal and regulatory changes in the Cloud Service Provider's environment. SP-02 ¶ 2 Bullet 2 {technical safeguard} Technical and organisational safeguards for the monitoring and provisioning and de-provisioning of cloud services are defined. Thus, the Cloud Service Provider ensures that resources are provided and/or services are rendered according to the contractual agreements and that compliance with the service level agreements is ensured. OPS-02 ¶ 1 The Cloud Service Provider creates regular reports on the checks performed, which are reviewed and analysed by authorised bodies or committees. Policies and instructions describe the technical measures taken to securely configure and monitor the management console (both the customer's self-service and the service provider's cloud administration) to protect it from malware. Updates are applied at the highest frequency that the vendor(s) contractually offer(s). OPS-04 ¶ 2 {applicable requirements} The legal, regulatory, self-imposed and contractual requirements relevant to the information security of the cloud service as well as the Cloud Service Provider's procedures for complying with these requirements are explicitly defined and documented. COM-01 ¶ 1] | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a cloud service usage standard. CC ID 13143 [{technical safeguard} Technical and organisational safeguards for the monitoring and provisioning and de-provisioning of cloud services are defined. Thus, the Cloud Service Provider ensures that resources are provided and/or services are rendered according to the contractual agreements and that compliance with the service level agreements is ensured. OPS-02 ¶ 1 The Cloud Service Provider provides cloud customers with guidelines and recommendations for the secure use of the cloud service provided. The information contained therein is intended to assist the cloud customer in the secure configuration, installation and use of the cloud service, to the extent applicable to the cloud service and the responsibility of the cloud user. PSS-01 ¶ 1 {secure use} The information is maintained so that it is applicable to the cloud service provided in the version intended for productive use. PSS-01 ¶ 3] | Operational management | Establish/Maintain Documentation | |
| Use strong data encryption when storing information within a cloud service. CC ID 16411 [The Cloud Service Provider has established procedures and technical safeguards to encrypt cloud customers' data during storage. The private keys used for encryption are known only to the cloud customer in accordance with applicable legal and regulatory obligations and requirements. Exceptions follow a specified procedure. The procedures for the use of private keys, including any exceptions, must be contractually agreed with the cloud customer. CRY-03 ¶ 1] | Operational management | Technical Security | |
| Include the roles and responsibilities of cloud service users in the cloud service usage standard. CC ID 13984 [In contractual agreements, the following aspects are defined with regard to the termination of the contractual relationship, insofar as these are applicable to the cloud service: The cloud customers' responsibilities and obligations to cooperate for the provision of the data. PI-02 ¶ 1 Bullet 4 Policies and instructions with technical and organisational safeguards for change management of system components of the cloud service within the scope of software deployment are documented, communicated and provided according to SP-01 with regard to the following aspects: Requirements for the proper information of cloud customers about the type and scope of the change as well as the resulting obligations to cooperate in accordance with the contractual agreements; DEV-03 ¶ 1 Bullet 4 The type and scope of the information provided will be based on the needs of subject matter experts of the cloud customers who set information security requirements, implement them or verify the implementation (e.g. IT, Compliance, Internal Audit). The information in the guidelines and recommendations for the secure use of the cloud service address the following aspects, where applicable to the cloud service: Services and functions for administration of the cloud service by privileged users. PSS-01 ¶ 2 Bullet 6] | Operational management | Establish/Maintain Documentation | |
| Include information security requirements in the cloud service usage standard. CC ID 13148 [{access roles} {access rights} The type and scope of the information provided will be based on the needs of subject matter experts of the cloud customers who set information security requirements, implement them or verify the implementation (e.g. IT, Compliance, Internal Audit). The information in the guidelines and recommendations for the secure use of the cloud service address the following aspects, where applicable to the cloud service: Roles and rights concept including combinations that result in an elevated risk; and PSS-01 ¶ 2 Bullet 5] | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate documentation of pertinent monitoring capabilities to interested personnel and affected parties. CC ID 13159 [To monitor capacity and availability, the relevant information is available to the cloud customer in a self-service portal. OPS-02 ¶ 2 The cloud customer is informed by the Cloud Service Provider whenever internal or external employees of the Cloud Service Provider read or write to the cloud customer's data processed, stored or transmitted in the cloud service or have accessed it without the prior consent of the cloud customer. The Information is provided whenever data of the cloud customer is/was not encrypted, the encryption is/was disabled for access or the contractual agreements do not explicitly exclude such information. The information contains the cause, time, duration, type and scope of the access. The information is sufficiently detailed to enable subject matter experts of the cloud customer to assess the risks of the access. The information is provided in accordance with the contractual agreements, or within 72 hours after the access. IDM-07 ¶ 1 The cloud customer is informed by the Cloud Service Provider whenever internal or external employees of the Cloud Service Provider read or write to the cloud customer's data processed, stored or transmitted in the cloud service or have accessed it without the prior consent of the cloud customer. The Information is provided whenever data of the cloud customer is/was not encrypted, the encryption is/was disabled for access or the contractual agreements do not explicitly exclude such information. The information contains the cause, time, duration, type and scope of the access. The information is sufficiently detailed to enable subject matter experts of the cloud customer to assess the risks of the access. The information is provided in accordance with the contractual agreements, or within 72 hours after the access. IDM-07 ¶ 1 Policies and instructions for controlling and monitoring third parties (e.g. service providers or suppliers) whose services contribute to the provision of the cloud service are documented, communicated and provided in accordance with SP-01 with respect to the following aspects: Specifications for the monitoring of these requirements; and SSO-01 ¶ 1 Bullet 8 {be specific} {logical separation} The Cloud Service Provider provides a customer-specific logging (in terms of scope and duration of retention period) upon request of the Cloud Customer. Depending on the protection requirements of the Cloud Service Provider and the technical feasibility, a logical or physical separation of log and customer data is carried out. OPS-14 ¶ 3] | Operational management | Communicate | |
| Disseminate and communicate the legal jurisdiction of cloud services to interested personnel and affected parties. CC ID 13147 | Operational management | Communicate | |
| Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain security requirements based on applicable regulations. CC ID 16283 [{security requirements} The policies and instructions describe at least the following aspects: Applicable legal and regulatory requirements. SP-01 ¶ 3 Bullet 6] | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an internal control framework. CC ID 00820 | Operational management | Establish/Maintain Documentation | |
| Define the scope for the internal control framework. CC ID 16325 [For an attestation engagement, the Cloud Service Provider's service-related system of internal control to meet the C5 criteria shall include the following minimum content in order to provide customers with sufficient transparency about the information security of the cloud service: Description of the system components for providing the cloud service; Section 3.4.4.1 ¶ 1 Bullet 2 {audit criteria} For an attestation engagement, the Cloud Service Provider's service-related system of internal control to meet the C5 criteria shall include the following minimum content in order to provide customers with sufficient transparency about the information security of the cloud service: Applicable C5 criteria; Section 3.4.4.1 ¶ 1 Bullet 4 For an attestation engagement, the Cloud Service Provider's service-related system of internal control to meet the C5 criteria shall include the following minimum content in order to provide customers with sufficient transparency about the information security of the cloud service: Complementary customer controls assumed in the design of the Cloud Service Provider's controls; and Section 3.4.4.1 ¶ 1 Bullet 7] | Operational management | Business Processes | |
| Include cloud services in the internal control framework. CC ID 17262 [For an attestation engagement, the Cloud Service Provider's service-related system of internal control to meet the C5 criteria shall include the following minimum content in order to provide customers with sufficient transparency about the information security of the cloud service: Name, type and scope of cloud services provided; Section 3.4.4.1 ¶ 1 Bullet 1] | Operational management | Establish/Maintain Documentation | |
| Include cloud security controls in the internal control framework. CC ID 17264 [For an attestation engagement, the Cloud Service Provider's service-related system of internal control to meet the C5 criteria shall include the following minimum content in order to provide customers with sufficient transparency about the information security of the cloud service: Name, type and scope of cloud services provided; Section 3.4.4.1 ¶ 1 Bullet 1 For an attestation engagement, the Cloud Service Provider's service-related system of internal control to meet the C5 criteria shall include the following minimum content in order to provide customers with sufficient transparency about the information security of the cloud service: Name, type and scope of cloud services provided; Section 3.4.4.1 ¶ 1 Bullet 1] | Operational management | Establish/Maintain Documentation | |
| Authorize and document all exceptions to the internal control framework. CC ID 06781 [For an attestation engagement, the Cloud Service Provider's service-related system of internal control to meet the C5 criteria shall include the following minimum content in order to provide customers with sufficient transparency about the information security of the cloud service: Dealing with significant events and conditions that represent exceptions to normal operation, such as security incidents or the failure of system components; Section 3.4.4.1 ¶ 1 Bullet 6] | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an information security program. CC ID 00812 [Plan, implement, maintain and continuously improve the information security framework within the organisation Section 5.1 Objective The measures for setting up, implementing, maintaining and continuously improving the ISMS are documented. The documentation includes: OIS-01 ¶ 2 The Cloud Service Provider operates an information security management system (ISMS) in accordance with ISO/IEC 27001. The scope of the ISMS covers the Cloud Service Provider's organisational units, locations and procedures for providing the cloud service. OIS-01 ¶ 1] | Operational management | Establish/Maintain Documentation | |
| Include communication management in the information security program. CC ID 12384 [Specific security requirements are designed, published and provided for establishing connections within the Cloud Service Provider's network. The security requirements define for the Cloud Service Provider's area of responsibility: which internal, cross-location communication is permitted; and COS-02 ¶ 1 Bullet 4 {security-related information} The information is detailed enough to allow cloud users to check the following aspects, insofar as they are applicable to the cloud service: Changes to security-relevant configuration parameters, error handling and logging mechanisms, user authentication, action authorisation, cryptography, and communication security. PSS-04 ¶ 2 Bullet 3] | Operational management | Establish/Maintain Documentation | |
| Include a continuous monitoring program in the information security program. CC ID 14323 | Operational management | Establish/Maintain Documentation | |
| Include change management procedures in the continuous monitoring plan. CC ID 16227 | Operational management | Establish/Maintain Documentation | |
| include recovery procedures in the continuous monitoring plan. CC ID 16226 [The procedures for monitoring compliance with the requirements are supplemented by automatic procedures relating to the following aspects: Recovery time (time until completion of error handling). SSO-04 ¶ 5 Bullet 4] | Operational management | Establish/Maintain Documentation | |
| Include mechanisms for decommissioning a system in the continuous monitoring plan. CC ID 16225 | Operational management | Establish/Maintain Documentation | |
| Include mechanisms for appeal and override in the continuous monitoring plan. CC ID 16223 | Operational management | Establish/Maintain Documentation | |
| Notify interested personnel and affected parties when irregularities are mitigated. CC ID 17117 | Operational management | Communicate | |
| Notify interested personnel and affected parties when continuous monitoring detects an irregularity. CC ID 17116 | Operational management | Communicate | |
| Include how the information security department is organized in the information security program. CC ID 12379 [{information security policy} The policy describes: the organisational structure for information security in the ISMS application area. OIS-02 ¶ 2 Bullet 4] | Operational management | Establish/Maintain Documentation | |
| Include mitigating supply chain risks in the information security program. CC ID 13352 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an information security policy. CC ID 11740 [The top management of the Cloud Service Provider has adopted an information security policy and communicated it to internal and external employees as well as cloud customers. OIS-02 ¶ 1 Policies and instructions (incl. concepts and guidelines) are derived from the information security policy and are documented according to a uniform structure. They are communicated and made available to all internal and external employees of the Cloud Service Provider in an appropriate manner. SP-01 ¶ 1 Information security policies and instructions are reviewed at least annually for adequacy by the Cloud Service Provider's subject matter experts. SP-02 ¶ 1] | Operational management | Establish/Maintain Documentation | |
| Include data localization requirements in the information security policy. CC ID 16932 | Operational management | Establish/Maintain Documentation | |
| Include business processes in the information security policy. CC ID 16326 [Policies and instructions (incl. concepts and guidelines) are derived from the information security policy and are documented according to a uniform structure. They are communicated and made available to all internal and external employees of the Cloud Service Provider in an appropriate manner. SP-01 ¶ 1] | Operational management | Establish/Maintain Documentation | |
| Include the information security strategy in the information security policy. CC ID 16125 [{security requirements} The policies and instructions describe at least the following aspects: Steps for the execution of the security strategy; and SP-01 ¶ 3 Bullet 5 {information security policy} The policy describes: the most important aspects of the security strategy to achieve the security objectives set; and OIS-02 ¶ 2 Bullet 3] | Operational management | Establish/Maintain Documentation | |
| Include a commitment to continuous improvement in the information security policy. CC ID 16123 | Operational management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the information security policy. CC ID 16120 [{security requirements} The policies and instructions describe at least the following aspects: Roles and responsibilities, including staff qualification requirements and the establishment of substitution rules; SP-01 ¶ 3 Bullet 3] | Operational management | Establish/Maintain Documentation | |
| Include a commitment to the information security requirements in the information security policy. CC ID 13496 [{information security policy} The policy describes: the importance of information security, based on the requirements of cloud customers in relation to information security; OIS-02 ¶ 2 Bullet 1] | Operational management | Establish/Maintain Documentation | |
| Include information security objectives in the information security policy. CC ID 13493 [{security requirements} The policies and instructions describe at least the following aspects: Objectives; SP-01 ¶ 3 Bullet 1 {information security policy} The policy describes: the security objectives and the desired security level, based on the business goals and tasks of the Cloud Service Provider; OIS-02 ¶ 2 Bullet 2] | Operational management | Establish/Maintain Documentation | |
| Include notification procedures in the information security policy. CC ID 16842 | Operational management | Establish/Maintain Documentation | |
| Approve the information security policy at the organization's management level or higher. CC ID 11737 [{information security policy} Revised policies and instructions are approved before they become effective. SP-02 ¶ 3 {information security policy} The policies and instructions are version controlled and approved by the top management of the Cloud Service Provider or an authorised body. SP-01 ¶ 2] | Operational management | Process or Activity | |
| Establish, implement, and maintain information security procedures. CC ID 12006 | Operational management | Business Processes | |
| Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303 | Operational management | Communicate | |
| Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304 [{security requirements} The policies and instructions describe at least the following aspects: Roles and dependencies on other organisations (especially cloud customers and subservice organisations); SP-01 ¶ 3 Bullet 4] | Operational management | Establish/Maintain Documentation | |
| Define thresholds for approving information security activities in the information security program. CC ID 15702 | Operational management | Process or Activity | |
| Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739 [The top management of the Cloud Service Provider has adopted an information security policy and communicated it to internal and external employees as well as cloud customers. OIS-02 ¶ 1 Policies and instructions (incl. concepts and guidelines) are derived from the information security policy and are documented according to a uniform structure. They are communicated and made available to all internal and external employees of the Cloud Service Provider in an appropriate manner. SP-01 ¶ 1] | Operational management | Communicate | |
| Refrain from requiring supervision when users are accessing social media applications. CC ID 14011 | Operational management | Business Processes | |
| Refrain from requiring users to disclose social media account usernames or authenticators. CC ID 14009 | Operational management | Business Processes | |
| Require social media users to clarify that their communications do not represent the organization. CC ID 17046 | Operational management | Communicate | |
| Require social media users to identify themselves when communicating on behalf of the organization. CC ID 17044 | Operational management | Communicate | |
| Establish, implement, and maintain operational control procedures. CC ID 00831 [Ensure proper and regular operation, including appropriate measures for planning and monitoring capacity, protection against malware, logging and monitoring events, and dealing with vulnerabilities, malfunctions and failures. Section 5.6 Objective] | Operational management | Establish/Maintain Documentation | |
| Define the nomenclature requirements in the operating instructions. CC ID 17112 | Operational management | Establish/Maintain Documentation | |
| Define the situations that require time information in the operating instructions. CC ID 17111 | Operational management | Establish/Maintain Documentation | |
| Implement alternative actions for oral communications not received or understood. CC ID 17122 | Operational management | Communicate | |
| Reissue operating instructions, as necessary. CC ID 17121 | Operational management | Communicate | |
| Include congestion management actions in the operational control procedures. CC ID 17135 | Operational management | Establish/Maintain Documentation | |
| Update the congestion management actions in a timely manner. CC ID 17145 | Operational management | Establish/Maintain Documentation | |
| Coordinate alternate congestion management actions with affected parties. CC ID 17136 | Operational management | Process or Activity | |
| Include actions to prevent system operating limit exceedances in the operational control procedures. CC ID 17138 | Operational management | Process or Activity | |
| Include actions to mitigate system operating limit exceedances in the operational control procedures. CC ID 17146 | Operational management | Establish/Maintain Documentation | |
| Confirm the receiver's response to operating instructions received by oral communications. CC ID 17120 | Operational management | Communicate | |
| Include continuous monitoring in the operational control procedures. CC ID 17137 | Operational management | Establish/Maintain Documentation | |
| Repeat operating instructions received by oral communications to the issuer. CC ID 17119 | Operational management | Communicate | |
| Write operating instructions in the English language, unless agreement exists to use another language. CC ID 17109 | Operational management | Establish/Maintain Documentation | |
| Coordinate the transmission of electricity between affected parties. CC ID 17114 | Operational management | Business Processes | |
| Include coordination amongst entities in the operational control procedures. CC ID 17147 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an outage coordination process. CC ID 17161 | Operational management | Process or Activity | |
| Coordinate outages with affected parties. CC ID 17160 | Operational management | Process or Activity | |
| Coordinate energy resource management with affected parties. CC ID 17150 | Operational management | Process or Activity | |
| Coordinate the control of voltage with affected parties. CC ID 17149 | Operational management | Process or Activity | |
| Coordinate energy shortages with affected parties. CC ID 17148 | Operational management | Process or Activity | |
| Include roles and responsibilities in the operational control procedures. CC ID 17159 | Operational management | Establish/Maintain Documentation | |
| Include alternative actions in the operational control procedures. CC ID 17096 | Operational management | Establish/Maintain Documentation | |
| Include change control processes in the operational control procedures. CC ID 16793 | Operational management | Establish/Maintain Documentation | |
| Approve or deny requests in a timely manner. CC ID 17095 | Operational management | Process or Activity | |
| Comply with requests from relevant parties unless justified in not complying. CC ID 17094 | Operational management | Business Processes | |
| Disseminate and communicate the operational control procedures to interested personnel and affected parties. CC ID 17151 [Based on the results of a risk analysis carried out according to OIS-06, the Cloud Service Provider has implemented technical safeguards which are suitable to promptly detect and respond to network-based attacks on the basis of irregular incoming or outgoing traffic patterns and/ or Distributed Denial of Service (DDoS) attacks. Data from corresponding technical protection measures implemented is fed into a comprehensive SIEM (Security Information and Event Management) system, so that (counter) measures regarding correlating events can be initiated. The safeguards are documented, communicated and provided in accordance with SP-01. COS-01 ¶ 1] | Operational management | Communicate | |
| Notify interested personnel and affected parties of inability to comply with compliance requirements. CC ID 17093 | Operational management | Communicate | |
| Use systems in accordance with the standard operating procedures manual. CC ID 15049 | Operational management | Process or Activity | |
| Include system use information in the standard operating procedures manual. CC ID 17240 | Operational management | Establish/Maintain Documentation | |
| Include metrics in the standard operating procedures manual. CC ID 14988 | Operational management | Establish/Maintain Documentation | |
| Include maintenance measures in the standard operating procedures manual. CC ID 14986 | Operational management | Establish/Maintain Documentation | |
| Include logging procedures in the standard operating procedures manual. CC ID 17214 | Operational management | Establish/Maintain Documentation | |
| Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984 | Operational management | Establish/Maintain Documentation | |
| Include resources in the standard operating procedures manual. CC ID 17212 | Operational management | Establish/Maintain Documentation | |
| Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982 | Operational management | Establish/Maintain Documentation | |
| Include human oversight measures in the standard operating procedures manual. CC ID 17213 | Operational management | Establish/Maintain Documentation | |
| Include predetermined changes in the standard operating procedures manual. CC ID 14977 | Operational management | Establish/Maintain Documentation | |
| Include specifications for input data in the standard operating procedures manual. CC ID 14975 | Operational management | Establish/Maintain Documentation | |
| Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973 | Operational management | Establish/Maintain Documentation | |
| Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972 | Operational management | Establish/Maintain Documentation | |
| Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969 | Operational management | Establish/Maintain Documentation | |
| Include the intended purpose in the standard operating procedures manual. CC ID 14967 | Operational management | Establish/Maintain Documentation | |
| Include information on system performance in the standard operating procedures manual. CC ID 14965 | Operational management | Establish/Maintain Documentation | |
| Include contact details in the standard operating procedures manual. CC ID 14962 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain information sharing agreements. CC ID 15645 | Operational management | Business Processes | |
| Provide support for information sharing activities. CC ID 15644 | Operational management | Process or Activity | |
| Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350 | Operational management | Establish/Maintain Documentation | |
| Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. CC ID 01351 [The Cloud Service Provider has an approval process for the use of hardware to be commissioned, which is used to provide the cloud service in the production environment, in which the risks arising from the commissioning are identified, analysed and mitigated. Approval is granted after verification of the secure configuration of the mechanisms for error handling, logging, encryption, authentication and authorisation according to the intended use and based on the applicable policies. AM-03 ¶ 1] | Operational management | Establish/Maintain Documentation | |
| Include Bring Your Own Device agreements in the Acceptable Use Policy. CC ID 15703 | Operational management | Establish/Maintain Documentation | |
| Include the obligations of users in the Bring Your Own Device agreement. CC ID 15708 | Operational management | Establish/Maintain Documentation | |
| Include the rights of the organization in the Bring Your Own Device agreement. CC ID 15707 | Operational management | Establish/Maintain Documentation | |
| Include the circumstances in which the organization may confiscate, audit, or inspect assets in the Bring Your Own Device agreement. CC ID 15706 | Operational management | Establish/Maintain Documentation | |
| Include the circumstances in which the organization may manage assets in the Bring Your Own Device agreement. CC ID 15705 | Operational management | Establish/Maintain Documentation | |
| Include a web usage policy in the Acceptable Use Policy. CC ID 16496 | Operational management | Establish/Maintain Documentation | |
| Include asset tags in the Acceptable Use Policy. CC ID 01354 [{acceptable use policy} Policies and instructions for acceptable use and safe handling of assets are documented, communicated and provided in accordance with SP-01 and address the following aspects of the asset lifecycle as applicable to the asset: Classification and labelling based on the need for protection of the information and measures for the level of protection identified; AM-02 ¶ 1 Bullet 3 {acceptable use policy} Policies and instructions for acceptable use and safe handling of assets are documented, communicated and provided in accordance with SP-01 and address the following aspects of the asset lifecycle as applicable to the asset: Classification and labelling based on the need for protection of the information and measures for the level of protection identified; AM-02 ¶ 1 Bullet 3] | Operational management | Establish/Maintain Documentation | |
| Specify the owner of applicable assets in the Acceptable Use Policy. CC ID 15699 | Operational management | Establish/Maintain Documentation | |
| Include asset use policies in the Acceptable Use Policy. CC ID 01355 [{acceptable use policy} Policies and instructions for acceptable use and safe handling of assets are documented, communicated and provided in accordance with SP-01 and address the following aspects of the asset lifecycle as applicable to the asset: Restriction of software installations or use of services; AM-02 ¶ 1 Bullet 7] | Operational management | Establish/Maintain Documentation | |
| Include usage restrictions in the Acceptable Use Policy. CC ID 15311 [Personal data is automatically removed from the log data before the Cloud Service Provider processes it as far as technically possible. The removal is done in a way that allows the Cloud Service Provider to continue to use the log data for the purpose for which it was collected. OPS-11 ¶ 2] | Operational management | Establish/Maintain Documentation | |
| Include a software installation policy in the Acceptable Use Policy. CC ID 06749 [{acceptable use policy} Policies and instructions for acceptable use and safe handling of assets are documented, communicated and provided in accordance with SP-01 and address the following aspects of the asset lifecycle as applicable to the asset: Restriction of software installations or use of services; AM-02 ¶ 1 Bullet 7 {acceptable use policy} Policies and instructions for acceptable use and safe handling of assets are documented, communicated and provided in accordance with SP-01 and address the following aspects of the asset lifecycle as applicable to the asset: Handling of software for which support and security patches are not available anymore; AM-02 ¶ 1 Bullet 6] | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties. CC ID 12431 [Policies and instructions for acceptable use and safe handling of assets are documented, communicated and provided in accordance with SP-01 and address the following aspects of the asset lifecycle as applicable to the asset: AM-02 ¶ 1] | Operational management | Communicate | |
| Establish, implement, and maintain a fax machine and multifunction device usage policy. CC ID 16962 | Operational management | Establish/Maintain Documentation | |
| Include contact lists in the fax machine and multifunction device usage policy. CC ID 16979 | Operational management | Establish/Maintain Documentation | |
| Include consequences in the fax machine and multifunction device usage policy. CC ID 16957 | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the fax machine and multifunction device usage policy to interested personnel and affected parties. CC ID 16965 | Operational management | Communicate | |
| Validate recipients prior to sending electronic messages. CC ID 16981 | Operational management | Business Processes | |
| Establish, implement, and maintain a Global Address List. CC ID 16934 | Operational management | Data and Information Management | |
| Include roles and responsibilities in the e-mail policy. CC ID 17040 | Operational management | Establish/Maintain Documentation | |
| Include content requirements in the e-mail policy. CC ID 17041 | Operational management | Establish/Maintain Documentation | |
| Include the personal use of business e-mail in the e-mail policy. CC ID 17037 | Operational management | Establish/Maintain Documentation | |
| Include usage restrictions in the e-mail policy. CC ID 17039 | Operational management | Establish/Maintain Documentation | |
| Include business use of personal e-mail in the e-mail policy. CC ID 14381 | Operational management | Establish/Maintain Documentation | |
| Include message format requirements in the e-mail policy. CC ID 17038 | Operational management | Establish/Maintain Documentation | |
| Include the consequences of sending restricted data in the e-mail policy. CC ID 16970 | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the e-mail policy to interested personnel and affected parties. CC ID 16980 | Operational management | Communicate | |
| Identify the sender in all electronic messages. CC ID 13996 | Operational management | Data and Information Management | |
| Establish, implement, and maintain nondisclosure agreements. CC ID 04536 [{nondisclosure agreement} The requirements must be documented and reviewed at regular intervals (at least annually). If the review shows that the requirements need to be adapted, the non-disclosure or confidentiality agreements are updated. HR-06 ¶ 3 {nondisclosure agreement} The non-disclosure or confidentiality agreements to be agreed with internal employees, external service providers and suppliers of the Cloud Service Provider are based on the requirements identified by the Cloud Service Provider for the protection of confidential information and operational details. HR-06 ¶ 1] | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate nondisclosure agreements to interested personnel and affected parties. CC ID 16191 [{confidentiality agreement} The Cloud Service Provider must inform the internal employees, external service providers and suppliers and obtain confirmation of the updated confidentiality or non-disclosure agreement. HR-06 ¶ 4 {confidentiality agreement} The Cloud Service Provider must inform the internal employees, external service providers and suppliers and obtain confirmation of the updated confidentiality or non-disclosure agreement. HR-06 ¶ 4] | Operational management | Communicate | |
| Require interested personnel and affected parties to sign nondisclosure agreements. CC ID 06667 [The agreements are to be accepted by external service providers and suppliers when the contract is agreed. The agreements must be accepted by internal employees of the Cloud Service Provider before authorisation to access data of cloud customers is granted. HR-06 ¶ 2] | Operational management | Establish/Maintain Documentation | |
| Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 | Operational management | Business Processes | |
| Comply with all implemented policies in the organization's compliance framework. CC ID 06384 [{information security requirement} Avoid non-compliance with legal, regulatory, self-imposed or contractual information security and compliance requirements. Section 5.15 Objective] | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a Service Management System. CC ID 13889 | Operational management | Business Processes | |
| Include all resources needed to achieve the objectives in the service management program. CC ID 11394 [Exit strategies are aligned with operational continuity plans and include the following aspects: Analysis of the potential costs, impacts, resources and timing of the transition of a purchased service to an alternative service provider or supplier; SSO-05 ¶ 2 Bullet 1] | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a network management program. CC ID 13123 [The Cloud Service Provider validates the functionality of the SDN functions before providing new SDN features to cloud users or modifying existing SDN features. Identified defects are assessed and corrected in a risk-oriented manner. PSS-10 ¶ 2] | Operational management | Establish/Maintain Documentation | |
| Include quality of service requirements in the network management program. CC ID 16429 | Operational management | Establish/Maintain Documentation | |
| Document the network design in the network management program. CC ID 13135 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain network documentation. CC ID 16497 | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the network standard to all interested personnel and affected parties. CC ID 13129 | Operational management | Communicate | |
| Establish, implement, and maintain an Asset Management program. CC ID 06630 [{centrally manage} Physical assets of internal and external employees are managed centrally. AM-05 ¶ 3] | Operational management | Business Processes | |
| Establish, implement, and maintain an asset management policy. CC ID 15219 | Operational management | Establish/Maintain Documentation | |
| Include coordination amongst entities in the asset management policy. CC ID 16424 | Operational management | Business Processes | |
| Establish, implement, and maintain asset management procedures. CC ID 16748 | Operational management | Establish/Maintain Documentation | |
| Define the requirements for where assets can be located. CC ID 17051 | Operational management | Business Processes | |
| Define and prioritize the importance of each asset in the asset management program. CC ID 16837 | Operational management | Business Processes | |
| Include life cycle requirements in the security management program. CC ID 16392 | Operational management | Establish/Maintain Documentation | |
| Include program objectives in the asset management program. CC ID 14413 | Operational management | Establish/Maintain Documentation | |
| Include a commitment to continual improvement in the asset management program. CC ID 14412 | Operational management | Establish/Maintain Documentation | |
| Include compliance with applicable requirements in the asset management program. CC ID 14411 | Operational management | Establish/Maintain Documentation | |
| Include installation requirements in the asset management program. CC ID 17195 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain administrative controls over all assets. CC ID 16400 | Operational management | Business Processes | |
| Establish, implement, and maintain classification schemes for all systems and assets. CC ID 01902 | Operational management | Establish/Maintain Documentation | |
| Apply security controls to each level of the information classification standard. CC ID 01903 [{be risk-based} Policies and instructions with technical and organisational safeguards for encryption procedures and key management are documented, communicated and provided according to SP-01, in which the following aspects are described: Risk-based provisions for the use of encryption which are aligned with the information classification schemes (cf. AM-06) and consider the communication channel, type, strength and quality of the encryption; CRY-01 ¶ 1 Bullet 2] | Operational management | Systems Design, Build, and Implementation | |
| Establish, implement, and maintain the systems' availability level. CC ID 01905 [The cloud provider provides subject matter experts of cloud customers with comprehensible and transparent information on the availability of the data centres used to provide the cloud service (including data centres operated by subcontractors), as needed. The information shows availability and downtime over one year according to industry standard classification schemes. The information enables cloud customers to assess the cloud service as part of their business impact analysis. BC-04 ¶ 1 The procedures for monitoring compliance with the requirements are supplemented by automatic procedures relating to the following aspects: Performance and availability of system components; SSO-04 ¶ 5 Bullet 2 Internal audits are supplemented by procedures to automatically monitor applicable requirements of policies and instructions with regard to the following aspects: Performance and availability of these system components; COM-03 ¶ 3 Bullet 2] | Operational management | Establish/Maintain Documentation | |
| Restrict unscheduled downtime in order to maintain high availability for critical systems. CC ID 12742 [The maximum tolerable downtimes of utility facilities are suitable for meeting the availability requirements contained in the service level agreement. PS-01 ¶ 9] | Operational management | Process or Activity | |
| Establish, implement, and maintain the Asset Classification Policy. CC ID 06642 [{acceptable use policy} Policies and instructions for acceptable use and safe handling of assets are documented, communicated and provided in accordance with SP-01 and address the following aspects of the asset lifecycle as applicable to the asset: Classification and labelling based on the need for protection of the information and measures for the level of protection identified; AM-02 ¶ 1 Bullet 3] | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the Asset Classification Policy to interested personnel and affected parties. CC ID 14851 | Operational management | Communicate | |
| Classify assets according to the Asset Classification Policy. CC ID 07186 [Assets are classified and, if possible, labelled. Classification and labelling of an asset reflect the protection needs of the information it processes, stores, or transmits. AM-06 ¶ 1] | Operational management | Establish Roles | |
| Classify virtual systems by type and purpose. CC ID 16332 | Operational management | Business Processes | |
| Apply asset protection mechanisms for all assets according to their assigned Asset Classification Policy. CC ID 07184 [Identify the organisation's own assets and ensure an appropriate level of protection throughout their lifecycle. Section 5.4 Objective] | Operational management | Establish Roles | |
| Establish, implement, and maintain an asset inventory. CC ID 06631 [The Cloud Service Provider has established procedures for inventorying assets. AM-01 ¶ 1 The Cloud Service Provider operates or refers to a daily updated online register of known vulnerabilities that affect the Cloud Service Provider and assets provided by the Cloud Service Provider that the cloud customers have to install, provide or operate themselves under the customers responsibility PSS-03 ¶ 1] | Operational management | Business Processes | |
| Establish, implement, and maintain an Information Technology inventory with asset discovery audit trails. CC ID 00689 [{acceptable use policy} Policies and instructions for acceptable use and safe handling of assets are documented, communicated and provided in accordance with SP-01 and address the following aspects of the asset lifecycle as applicable to the asset: Inventory; AM-02 ¶ 1 Bullet 2] | Operational management | Establish/Maintain Documentation | |
| Include all account types in the Information Technology inventory. CC ID 13311 | Operational management | Establish/Maintain Documentation | |
| Add inventoried assets to the asset register database, as necessary. CC ID 07051 [Assets are recorded with the information needed to apply the Risk Management Procedure (cf. OIS-07), including the measures taken to manage these risks throughout the asset lifecycle. Changes to this information are logged. AM-01 ¶ 3] | Operational management | Establish/Maintain Documentation | |
| Use automated tools to collect Information Technology inventory information, as necessary. CC ID 07054 [{automate} {responsible personnel} The inventory is performed automatically and/or by the people or teams responsible for the assets to ensure complete, accurate, valid and consistent inventory throughout the asset lifecycle. AM-01 ¶ 2] | Operational management | Technical Security | |
| Link the authentication system to the asset inventory. CC ID 13718 | Operational management | Technical Security | |
| Record a unique name for each asset in the asset inventory. CC ID 16305 | Operational management | Data and Information Management | |
| Record the decommission date for applicable assets in the asset inventory. CC ID 14920 | Operational management | Establish/Maintain Documentation | |
| Record the status of information systems in the asset inventory. CC ID 16304 | Operational management | Data and Information Management | |
| Record the communication interfaces for applicable assets in the asset inventory. CC ID 16301 | Operational management | Data and Information Management | |
| Record the Uniform Resource Locator for applicable assets in the asset inventory. CC ID 14918 | Operational management | Establish/Maintain Documentation | |
| Include source code in the asset inventory. CC ID 14858 | Operational management | Records Management | |
| Record the review date for applicable assets in the asset inventory. CC ID 14919 | Operational management | Establish/Maintain Documentation | |
| Record services for applicable assets in the asset inventory. CC ID 13733 | Operational management | Establish/Maintain Documentation | |
| Record dependencies and interconnections between applicable assets in the asset inventory. CC ID 17196 | Operational management | Data and Information Management | |
| Record protocols for applicable assets in the asset inventory. CC ID 13734 | Operational management | Establish/Maintain Documentation | |
| Record the software version in the asset inventory. CC ID 12196 | Operational management | Establish/Maintain Documentation | |
| Record the publisher for applicable assets in the asset inventory. CC ID 13725 | Operational management | Establish/Maintain Documentation | |
| Record the authentication system in the asset inventory. CC ID 13724 | Operational management | Establish/Maintain Documentation | |
| Tag unsupported assets in the asset inventory. CC ID 13723 | Operational management | Establish/Maintain Documentation | |
| Record the vendor support end date for applicable assets in the asset inventory. CC ID 17194 | Operational management | Data and Information Management | |
| Record the install date for applicable assets in the asset inventory. CC ID 13720 | Operational management | Establish/Maintain Documentation | |
| Record the host name of applicable assets in the asset inventory. CC ID 13722 | Operational management | Establish/Maintain Documentation | |
| Record network ports for applicable assets in the asset inventory. CC ID 13730 | Operational management | Establish/Maintain Documentation | |
| Record the MAC address for applicable assets in the asset inventory. CC ID 13721 | Operational management | Establish/Maintain Documentation | |
| Record rooms at external locations in the asset inventory. CC ID 16302 | Operational management | Data and Information Management | |
| Record the firmware version for applicable assets in the asset inventory. CC ID 12195 | Operational management | Establish/Maintain Documentation | |
| Record trusted keys and certificates in the asset inventory. CC ID 15486 | Operational management | Data and Information Management | |
| Record cipher suites and protocols in the asset inventory. CC ID 15489 | Operational management | Data and Information Management | |
| Record all compliance requirements for applicable assets in the asset inventory. CC ID 15696 | Operational management | Establish/Maintain Documentation | |
| Record all changes to assets in the asset inventory. CC ID 12190 [Assets are recorded with the information needed to apply the Risk Management Procedure (cf. OIS-07), including the measures taken to manage these risks throughout the asset lifecycle. Changes to this information are logged. AM-01 ¶ 3] | Operational management | Establish/Maintain Documentation | |
| Prevent users from disabling required software. CC ID 16417 | Operational management | Technical Security | |
| Establish, implement, and maintain digital legacy procedures. CC ID 16524 | Operational management | Establish/Maintain Documentation | |
| Wipe all data on systems prior to when the system is redeployed or the system is disposed. CC ID 06401 [{acceptable use policy} Policies and instructions for acceptable use and safe handling of assets are documented, communicated and provided in accordance with SP-01 and address the following aspects of the asset lifecycle as applicable to the asset: Complete and irrevocable deletion of the data upon decommissioning. AM-02 ¶ 1 Bullet 12] | Operational management | Data and Information Management | |
| Reset systems to the default configuration prior to when the system is redeployed or the system is disposed. CC ID 16968 | Operational management | Configuration | |
| Establish, implement, and maintain a system disposal program. CC ID 14431 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain disposal procedures. CC ID 16513 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain asset sanitization procedures. CC ID 16511 [The decommissioning includes the complete and permanent deletion of the data or proper destruction of the media. AM-04 ¶ 2] | Operational management | Establish/Maintain Documentation | |
| Obtain management approval prior to disposing of information technology assets. CC ID 17270 [{acceptable use policy} Policies and instructions for acceptable use and safe handling of assets are documented, communicated and provided in accordance with SP-01 and address the following aspects of the asset lifecycle as applicable to the asset: Approval procedures for acquisition, commissioning, maintenance, decommissioning, and disposal by authorised personnel or system components; AM-02 ¶ 1 Bullet 1] | Operational management | Business Processes | |
| Destroy systems in accordance with the system disposal program. CC ID 16457 | Operational management | Business Processes | |
| Approve the release of systems and waste material into the public domain. CC ID 16461 | Operational management | Business Processes | |
| Establish, implement, and maintain system destruction procedures. CC ID 16474 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain printer and multifunction device disposition procedures. CC ID 15216 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a system preventive maintenance program. CC ID 00885 [{power supply facility} Measures to prevent the failure of the technical supply facilities required for the operation of system components with which information from cloud customers is processed, are documented and set up in accordance with the security requirements of the Cloud Service Provider (cf. PS-01 Security Concept) with respect to the following aspects: Maintenance (servicing, inspection, repair) of the utilities in accordance with the manufacturer's recommendations. PS-06 ¶ 1(c)] | Operational management | Establish/Maintain Documentation | |
| Include a list of assets that were removed or replaced during maintenance in the maintenance report. CC ID 17088 | Operational management | Maintenance | |
| Include a description of the maintenance performed in the maintenance report. CC ID 17087 | Operational management | Maintenance | |
| Include roles and responsibilities in the maintenance report. CC ID 17086 | Operational management | Maintenance | |
| Include the date and time of maintenance in the maintenance report. CC ID 17085 | Operational management | Maintenance | |
| Establish, implement, and maintain a system maintenance policy. CC ID 14032 | Operational management | Establish/Maintain Documentation | |
| Include compliance requirements in the system maintenance policy. CC ID 14217 | Operational management | Establish/Maintain Documentation | |
| Include management commitment in the system maintenance policy. CC ID 14216 | Operational management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the system maintenance policy. CC ID 14215 | Operational management | Establish/Maintain Documentation | |
| Include the scope in the system maintenance policy. CC ID 14214 | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the system maintenance policy to interested personnel and affected parties. CC ID 14213 | Operational management | Communicate | |
| Include the purpose in the system maintenance policy. CC ID 14187 | Operational management | Establish/Maintain Documentation | |
| Include coordination amongst entities in the system maintenance policy. CC ID 14181 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain system maintenance procedures. CC ID 14059 | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the system maintenance procedures to interested personnel and affected parties. CC ID 14194 | Operational management | Communicate | |
| Establish, implement, and maintain a technology refresh schedule. CC ID 16940 | Operational management | Establish/Maintain Documentation | |
| Provide advice regarding the establishment and implementation of an information technology refresh plan. CC ID 16938 | Operational management | Communicate | |
| Plan and conduct maintenance so that it does not interfere with scheduled operations. CC ID 06389 [Policies and instructions for planning and conducting audits are documented, communicated and made available in accordance with SP-01 and address the following aspects: Activities that may result in malfunctions to the cloud service or breaches of contractual requirements are performed during scheduled maintenance windows or outside peak periods; and COM-02 ¶ 1 Bullet 2] | Operational management | Physical and Environmental Protection | |
| Establish, implement, and maintain compensating controls for system components when third party support is no longer available. CC ID 17174 | Operational management | Process or Activity | |
| Obtain approval before removing maintenance tools from the facility. CC ID 14298 | Operational management | Business Processes | |
| Log the performance of all remote maintenance. CC ID 13202 | Operational management | Log Management | |
| Conduct offsite maintenance in authorized facilities. CC ID 16473 | Operational management | Maintenance | |
| Disconnect non-volatile media from information systems prior to performing maintenance with uncleared personnel. CC ID 14295 | Operational management | Maintenance | |
| Sanitize volatile media in information systems prior to performing maintenance with uncleared personnel. CC ID 14291 | Operational management | Maintenance | |
| Perform periodic maintenance according to organizational standards. CC ID 01435 | Operational management | Behavior | |
| Restart systems on a periodic basis. CC ID 16498 | Operational management | Maintenance | |
| Remove components being serviced from the information system prior to performing maintenance. CC ID 14251 | Operational management | Maintenance | |
| Control granting access to appropriate parties performing maintenance on organizational assets. CC ID 11873 [{acceptable use policy} Policies and instructions for acceptable use and safe handling of assets are documented, communicated and provided in accordance with SP-01 and address the following aspects of the asset lifecycle as applicable to the asset: Approval procedures for acquisition, commissioning, maintenance, decommissioning, and disposal by authorised personnel or system components; AM-02 ¶ 1 Bullet 1] | Operational management | Human Resources Management | |
| Identify and authenticate appropriate parties prior to granting access to maintain assets. CC ID 11874 | Operational management | Physical and Environmental Protection | |
| Implement automated mechanisms to transfer predictive maintenance data to a maintenance management system. CC ID 10616 | Operational management | Process or Activity | |
| Establish, implement, and maintain an end-of-life management process. CC ID 16540 [The decommissioning of hardware used to operate system components supporting the cloud service production environment under the responsibility of the Cloud Service Provider requires approval based on the applicable policies. AM-04 ¶ 1] | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate end-of-life information for system components to interested personnel and affected parties. CC ID 16937 | Operational management | Communicate | |
| Refrain from placing assets being disposed into organizational dumpsters. CC ID 12200 | Operational management | Business Processes | |
| Establish, implement, and maintain disposal contracts. CC ID 12199 | Operational management | Establish/Maintain Documentation | |
| Include disposal procedures in disposal contracts. CC ID 13905 | Operational management | Establish/Maintain Documentation | |
| Remove asset tags prior to disposal of an asset. CC ID 12198 | Operational management | Business Processes | |
| Establish, implement, and maintain a customer service program. CC ID 00846 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an Incident Management program. CC ID 00853 | Operational management | Business Processes | |
| Include incident escalation procedures in the Incident Management program. CC ID 00856 [Ensure a consistent and comprehensive approach to the capture, assessment, communication and escalation of security incidents. Section 5.13 Objective The Cloud Service Provider defines guidelines for the classification, prioritisation and escalation of security incidents and creates interfaces to the incident management and business continuity management. SIM-01 ¶ 2] | Operational management | Establish/Maintain Documentation | |
| Define the characteristics of the Incident Management program. CC ID 00855 | Operational management | Establish/Maintain Documentation | |
| Include the criteria for an incident in the Incident Management program. CC ID 12173 [The Cloud Service Provider has established policies and instructions that govern the logging and monitoring of events on system components within its area of responsibility. These policies and instructions are documented, communicated and provided according to SP-01 with respect to the following aspects: Definition of events that could lead to a violation of the protection goals; OPS-10 ¶ 1 Bullet 1] | Operational management | Establish/Maintain Documentation | |
| Include a definition of affected transactions in the incident criteria. CC ID 17180 | Operational management | Establish/Maintain Documentation | |
| Include a definition of affected parties in the incident criteria. CC ID 17179 | Operational management | Establish/Maintain Documentation | |
| Include incident monitoring procedures in the Incident Management program. CC ID 01207 [Mechanisms are in place to measure and monitor the type and scope of security incidents and to report them to support agencies. The information obtained from the evaluation is used to identify recurrent or significant incidents and to identify the need for further protection. SIM-05 ¶ 1] | Operational management | Establish/Maintain Documentation | |
| Categorize the incident following an incident response. CC ID 13208 [Identified violations and deviations are subjected to analysis, evaluation and treatment in accordance with the risk management procedure (cf. OIS-07). SSO-04 ¶ 4 Subject matter experts of the Cloud Service Provider, together with external security providers where appropriate, classify, prioritise and perform root-cause analyses for events that could constitute a security incident. SIM-02 ¶ 1] | Operational management | Technical Security | |
| Define and document the criteria to be used in categorizing incidents. CC ID 10033 [The Cloud Service Provider defines guidelines for the classification, prioritisation and escalation of security incidents and creates interfaces to the incident management and business continuity management. SIM-01 ¶ 2] | Operational management | Establish/Maintain Documentation | |
| Include the investigation methodology in the forensic investigation report. CC ID 17071 | Operational management | Establish/Maintain Documentation | |
| Include corrective actions in the forensic investigation report. CC ID 17070 | Operational management | Establish/Maintain Documentation | |
| Include the investigation results in the forensic investigation report. CC ID 17069 | Operational management | Establish/Maintain Documentation | |
| Comply with privacy regulations and civil liberties requirements when sharing data loss event information. CC ID 10036 [{be transparent} {not reveal} An incident is typically significant when it affects multiple cloud customers and the Cloud Service Provider informs the affected parties or the public. The information about the incidents and the protection measures put in place should be as transparent as possible, without revealing vulnerability or potential points of attack. Furthermore, the reporting must not jeopardise the confidentiality of information concerning individual cloud customers and should therefore not contain a detailed description of individual incidents. Section 3.4.4.1 ¶ 4] | Operational management | Data and Information Management | |
| Redact restricted data before sharing incident information. CC ID 16994 | Operational management | Data and Information Management | |
| Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539 | Operational management | Communicate | |
| Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538 | Operational management | Communicate | |
| Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547 | Operational management | Establish/Maintain Documentation | |
| Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797 | Operational management | Communicate | |
| Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782 | Operational management | Communicate | |
| Include data loss event notifications in the Incident Response program. CC ID 00364 | Operational management | Establish/Maintain Documentation | |
| Include required information in the written request to delay the notification to affected parties. CC ID 16785 | Operational management | Establish/Maintain Documentation | |
| Submit written requests to delay the notification of affected parties. CC ID 16783 | Operational management | Communicate | |
| Revoke the written request to delay the notification. CC ID 16843 | Operational management | Process or Activity | |
| Refrain from charging for providing incident response notifications. CC ID 13876 | Operational management | Business Processes | |
| Refrain from including restricted information in the incident response notification. CC ID 16806 | Operational management | Actionable Reports or Measurements | |
| Include the affected parties rights in the incident response notification. CC ID 16811 | Operational management | Establish/Maintain Documentation | |
| Include the incident classification criteria in incident response notifications. CC ID 17293 | Operational management | Establish/Maintain Documentation | |
| Include details of the investigation in incident response notifications. CC ID 12296 | Operational management | Establish/Maintain Documentation | |
| Include the issuer's name in incident response notifications. CC ID 12062 | Operational management | Establish/Maintain Documentation | |
| Include the incident reference code in incident response notifications. CC ID 17292 | Operational management | Establish/Maintain Documentation | |
| Include a general description of the data loss event in incident response notifications. CC ID 04734 [{be transparent} {not reveal} An incident is typically significant when it affects multiple cloud customers and the Cloud Service Provider informs the affected parties or the public. The information about the incidents and the protection measures put in place should be as transparent as possible, without revealing vulnerability or potential points of attack. Furthermore, the reporting must not jeopardise the confidentiality of information concerning individual cloud customers and should therefore not contain a detailed description of individual incidents. Section 3.4.4.1 ¶ 4] | Operational management | Establish/Maintain Documentation | |
| Include the identification of the data source in incident response notifications. CC ID 12305 | Operational management | Establish/Maintain Documentation | |
| Include activations of the business continuity plan in incident response notifications. CC ID 17295 | Operational management | Establish/Maintain Documentation | |
| Include costs associated with the incident in incident response notifications. CC ID 17300 | Operational management | Establish/Maintain Documentation | |
| Include the reporting individual's contact information in incident response notifications. CC ID 12297 | Operational management | Establish/Maintain Documentation | |
| Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085 | Operational management | Communicate | |
| Post the incident response notification on the organization's website. CC ID 16809 | Operational management | Process or Activity | |
| Document the determination for providing a substitute incident response notification. CC ID 16841 | Operational management | Process or Activity | |
| Include contact information in the substitute incident response notification. CC ID 16776 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a containment strategy. CC ID 13480 | Operational management | Establish/Maintain Documentation | |
| Include the containment approach in the containment strategy. CC ID 13486 | Operational management | Establish/Maintain Documentation | |
| Include response times in the containment strategy. CC ID 13485 [The procedures for monitoring compliance with the requirements are supplemented by automatic procedures relating to the following aspects: Response time to malfunctions and security incidents; and SSO-04 ¶ 5 Bullet 3] | Operational management | Establish/Maintain Documentation | |
| Include a description of the restored data that was restored manually in the restoration log. CC ID 15463 | Operational management | Data and Information Management | |
| Include a description of the restored data in the restoration log. CC ID 15462 | Operational management | Data and Information Management | |
| Log incidents in the Incident Management audit log. CC ID 00857 [Ensure a consistent and comprehensive approach to the capture, assessment, communication and escalation of security incidents. Section 5.13 Objective] | Operational management | Establish/Maintain Documentation | |
| Include who the incident was reported to in the incident management audit log. CC ID 16487 | Operational management | Log Management | |
| Include the information that was exchanged in the incident management audit log. CC ID 16995 | Operational management | Log Management | |
| Include corrective actions in the incident management audit log. CC ID 16466 | Operational management | Establish/Maintain Documentation | |
| Include incident reporting procedures in the Incident Management program. CC ID 11772 [Mechanisms are in place to measure and monitor the type and scope of security incidents and to report them to support agencies. The information obtained from the evaluation is used to identify recurrent or significant incidents and to identify the need for further protection. SIM-05 ¶ 1] | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an Incident Response program. CC ID 00579 | Operational management | Establish/Maintain Documentation | |
| Create an incident response report. CC ID 12700 | Operational management | Establish/Maintain Documentation | |
| Include corrective action taken to eradicate the incident in the incident response report. CC ID 12708 [As soon as an incident has been resolved from the Cloud Service Provider's perspective, the cloud customer is informed according to the contractual agreements, about the actions taken. OPS-21 ¶ 2 After a security incident has been processed, the solution is documented in accordance with the contractual agreements and the report is sent to the affected customers for final acknowledgement or, if applicable, as confirmation. SIM-03 ¶ 1] | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an incident response plan. CC ID 12056 | Operational management | Establish/Maintain Documentation | |
| Include addressing information sharing in the incident response plan. CC ID 13349 [{be transparent} {not reveal} An incident is typically significant when it affects multiple cloud customers and the Cloud Service Provider informs the affected parties or the public. The information about the incidents and the protection measures put in place should be as transparent as possible, without revealing vulnerability or potential points of attack. Furthermore, the reporting must not jeopardise the confidentiality of information concerning individual cloud customers and should therefore not contain a detailed description of individual incidents. Section 3.4.4.1 ¶ 4] | Operational management | Establish/Maintain Documentation | |
| Include root cause analysis in the incident response plan. CC ID 16423 [Subject matter experts of the Cloud Service Provider, together with external security providers where appropriate, classify, prioritise and perform root-cause analyses for events that could constitute a security incident. SIM-02 ¶ 1 There are instructions as to how the data of a suspicious system can be collected in a conclusive manner in the event of a security incident. In addition, there are analysis plans for typical security incidents and an evaluation methodology so that the collected information does not lose its evidential value in any subsequent legal assessment. SIM-01 ¶ 5] | Operational management | Establish/Maintain Documentation | |
| Include incident response team structures in the Incident Response program. CC ID 01237 [In addition, the Cloud Service Provider has set up a "Computer Emergency Response Team" (CERT), which contributes to the coordinated resolution of occurring security incidents. SIM-01 ¶ 3] | Operational management | Establish/Maintain Documentation | |
| Include identifying remediation actions in the incident response plan. CC ID 13354 | Operational management | Establish/Maintain Documentation | |
| Include the incident response training program in the Incident Response program. CC ID 06750 [The Cloud Service Provider operates a target group-oriented security awareness and training program, which is completed by all internal and external employees of the Cloud Service Provider on a regular basis. The program is regularly updated based on changes to policies and instructions and the current threat situation and includes the following aspects: Correct behaviour in the event of security incidents. HR-03 ¶ 1 Bullet 4] | Operational management | Establish/Maintain Documentation | |
| Incorporate realistic exercises that are tested into the incident response training program. CC ID 06753 [In addition to the tests, exercises are also carried out which, among other things, have resulted in scenarios from security incidents that have already occurred in the past. BCM-04 ¶ 2] | Operational management | Behavior | |
| Establish, implement, and maintain an incident response policy. CC ID 14024 | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the incident response policy to interested personnel and affected parties. CC ID 14099 [Policies and instructions with technical and organisational safeguards are documented, communicated and provided in accordance with SP-01 to ensure a fast, effective and proper response to all known security incidents. SIM-01 ¶ 1] | Operational management | Communicate | |
| Establish, implement, and maintain a digital forensic evidence framework. CC ID 08652 [Interfaces are available to conduct forensic analyses and perform backups of infrastructure components and their network communication. OPS-15 ¶ 2 Interfaces are available to conduct forensic analyses and perform backups of infrastructure components and their network communication. OPS-15 ¶ 2] | Operational management | Establish/Maintain Documentation | |
| Include time information in the chain of custody. CC ID 17068 | Operational management | Log Management | |
| Include actions performed on evidence in the chain of custody. CC ID 17067 | Operational management | Log Management | |
| Include individuals who had custody of evidence in the chain of custody. CC ID 17066 | Operational management | Log Management | |
| Establish, implement, and maintain a digital forensic evidence collection program. CC ID 08655 [There are instructions as to how the data of a suspicious system can be collected in a conclusive manner in the event of a security incident. In addition, there are analysis plans for typical security incidents and an evaluation methodology so that the collected information does not lose its evidential value in any subsequent legal assessment. SIM-01 ¶ 5] | Operational management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the digital forensic evidence collection program. CC ID 15724 | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the incident response procedures to all interested personnel and affected parties. CC ID 01215 [Interfaces and dependencies between cloud service delivery activities performed by the Cloud Service Provider and activities performed by third parties are documented and communicated. This includes dealing with the following events: Security incidents; and OIS-03 ¶ 1 Bullet 2] | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the final incident report, which includes the investigation results and any remediation activity results. CC ID 12306 [After a security incident has been processed, the solution is documented in accordance with the contractual agreements and the report is sent to the affected customers for final acknowledgement or, if applicable, as confirmation. SIM-03 ¶ 1] | Operational management | Actionable Reports or Measurements | |
| Document the results of incident response tests and provide them to senior management. CC ID 14857 | Operational management | Actionable Reports or Measurements | |
| Establish, implement, and maintain system performance monitoring procedures. CC ID 11752 [Internal audits are supplemented by procedures to automatically monitor applicable requirements of policies and instructions with regard to the following aspects: Performance and availability of these system components; COM-03 ¶ 3 Bullet 2] | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a Service Level Agreement framework. CC ID 00839 | Operational management | Establish/Maintain Documentation | |
| Include exceptions in the Service Level Agreements, as necessary. CC ID 13912 [The Cloud Service Provider has established procedures and technical safeguards to encrypt cloud customers' data during storage. The private keys used for encryption are known only to the cloud customer in accordance with applicable legal and regulatory obligations and requirements. Exceptions follow a specified procedure. The procedures for the use of private keys, including any exceptions, must be contractually agreed with the cloud customer. CRY-03 ¶ 1] | Operational management | Establish/Maintain Documentation | |
| Include availability requirements in Service Level Agreements. CC ID 13095 [In contractual agreements (e.g. service description), the Cloud Service Provider provides comprehensible, binding and transparent information on: Availability of the cloud service; BC-02 ¶ 1 Bullet 1 The cloud service is provided from two locations that are redundant to each other. The locations meet the security requirements of the Cloud Service Provider (cf. PS-01 Security Concept) and are located in an adequate distance to each other to achieve operational redundancy. Operational redundancy is designed in a way that ensures that the availability requirements specified in the service level agreement are met. The functionality of the redundancy is checked at least annually by suitable tests and exercises (cf. BCM-04 – Verification, updating and testing of business continuity). PS-02 ¶ 1 {separate} The cloud service is provided from more than two locations that provide each other with redundancy. The locations are sufficiently far apart to achieve georedundancy. If two locations fail at the same time, at least one third location is still available to prevent a total service failure. The georedundancy is designed in a way that ensures that the availability requirements specified in the service level agreement are met. The functionality of the redundancy is checked at least annually by suitable tests and exercises (cf. BCM-04 – Verification, updating and testing of business continuity). PS-02 ¶ 2] | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a change control program. CC ID 00886 | Operational management | Establish/Maintain Documentation | |
| Include version control in the change control program. CC ID 13119 [Version control procedures are set up to track dependencies of individual changes and to restore affected system components back to their previous state as a result of errors or identified vulnerabilities. DEV-08 ¶ 1 Version control procedures provide appropriate safeguards to ensure that the integrity and availability of cloud customer data is not compromised when system components are restored back to their previous state. DEV-08 ¶ 2] | Operational management | Establish/Maintain Documentation | |
| Integrate configuration management procedures into the change control program. CC ID 13646 [Access to system components for logging and monitoring in the Cloud Service Provider's area of responsibility is restricted to authorised users. Changes to the configuration are made in accordance with the applicable policies (cf. DEV-03). OPS-16 ¶ 1 Policies and instructions with technical and organisational safeguards for change management of system components of the cloud service within the scope of software deployment are documented, communicated and provided according to SP-01 with regard to the following aspects: DEV-03 ¶ 1 {security-related information} The information is detailed enough to allow cloud users to check the following aspects, insofar as they are applicable to the cloud service: Changes to security-relevant configuration parameters, error handling and logging mechanisms, user authentication, action authorisation, cryptography, and communication security. PSS-04 ¶ 2 Bullet 3] | Operational management | Technical Security | |
| Establish, implement, and maintain back-out procedures for each proposed change in a change request. CC ID 00373 [Version control procedures are set up to track dependencies of individual changes and to restore affected system components back to their previous state as a result of errors or identified vulnerabilities. DEV-08 ¶ 1] | Operational management | Establish/Maintain Documentation | |
| Manage change requests. CC ID 00887 [In accordance with the applicable policies (cf. DEV-03), changes are subjected to a risk assessment with regard to potential effects on the system components concerned and are categorised and prioritised accordingly. DEV-05 ¶ 1 Policies and instructions with technical and organisational safeguards for change management of system components of the cloud service within the scope of software deployment are documented, communicated and provided according to SP-01 with regard to the following aspects: Criteria for risk assessment, categorisation and prioritisation of changes and related requirements for the type and scope of testing to be performed, and necessary approvals for the development/implementation of the change and releases for deployment in the production environment by authorised personnel or system components; DEV-03 ¶ 1 Bullet 1] | Operational management | Business Processes | |
| Document all change requests in change request forms. CC ID 06794 [Policies and instructions with technical and organisational safeguards for change management of system components of the cloud service within the scope of software deployment are documented, communicated and provided according to SP-01 with regard to the following aspects: Requirements for the documentation of changes in system, operational and user documentation; and DEV-03 ¶ 1 Bullet 5] | Operational management | Establish/Maintain Documentation | |
| Approve tested change requests. CC ID 11783 [Authorised personnel or system components of the Cloud Service Provider approve changes to the cloud service based on defined criteria (e.g. test results and required approvals) before these are made available to the cloud customers in the production environment. DEV-09 ¶ 1 Policies and instructions with technical and organisational safeguards for change management of system components of the cloud service within the scope of software deployment are documented, communicated and provided according to SP-01 with regard to the following aspects: Criteria for risk assessment, categorisation and prioritisation of changes and related requirements for the type and scope of testing to be performed, and necessary approvals for the development/implementation of the change and releases for deployment in the production environment by authorised personnel or system components; DEV-03 ¶ 1 Bullet 1] | Operational management | Data and Information Management | |
| Validate the system before implementing approved changes. CC ID 01510 [The Cloud Service Provider validates the functionality of the authorisation mechanisms before new functions are made available to cloud users and in the event of changes to the authorisation mechanisms of existing functions (cf. DEV-06). The severity of identified vulnerabilities is assessed according to defined criteria based on industry standard metrics (e.g. Common Vulnerability Scoring System) and measures for timely resolution or mitigation are initiated. Vulnerabilities that have not been fixed are listed in the online register of known vulnerabilities (cf. PSS-02) PSS-09 ¶ 2] | Operational management | Systems Design, Build, and Implementation | |
| Disseminate and communicate proposed changes to all interested personnel and affected parties. CC ID 06807 [Policies and instructions with technical and organisational safeguards for change management of system components of the cloud service within the scope of software deployment are documented, communicated and provided according to SP-01 with regard to the following aspects: Requirements for the proper information of cloud customers about the type and scope of the change as well as the resulting obligations to cooperate in accordance with the contractual agreements; DEV-03 ¶ 1 Bullet 4 In accordance with the contractual agreements, meaningful information about the occasion, time, duration, type and scope of the change is submitted to authorised bodies of the cloud customer so that they can carry out their own risk assessment before the change is made available in the production environment. Regardless of the contractual agreements, this is done for changes that have the highest risk category based on their risk assessment. DEV-05 ¶ 2 {changes} Cloud customers are involved in the release according to contractual requirements. DEV-09 ¶ 2] | Operational management | Behavior | |
| Establish, implement, and maintain emergency change procedures. CC ID 00890 | Operational management | Establish/Maintain Documentation | |
| Perform emergency changes, as necessary. CC ID 12707 [Policies and instructions with technical and organisational safeguards for change management of system components of the cloud service within the scope of software deployment are documented, communicated and provided according to SP-01 with regard to the following aspects: Requirements for the implementation and documentation of emergency changes that must comply with the same level of security as normal changes. DEV-03 ¶ 1 Bullet 6] | Operational management | Process or Activity | |
| Back up emergency changes after the change has been performed. CC ID 12734 | Operational management | Process or Activity | |
| Log emergency changes after they have been performed. CC ID 12733 [Policies and instructions with technical and organisational safeguards for change management of system components of the cloud service within the scope of software deployment are documented, communicated and provided according to SP-01 with regard to the following aspects: Requirements for the implementation and documentation of emergency changes that must comply with the same level of security as normal changes. DEV-03 ¶ 1 Bullet 6] | Operational management | Establish/Maintain Documentation | |
| Perform risk assessments prior to approving change requests. CC ID 00888 [The risk assessment covers the following areas, insofar as these are applicable to the provision of the Cloud Service and are in the area of responsibility of the Cloud Service Provider: Development, testing and release of changes (cf. DEV-01); and OIS-04 ¶ 2 Bullet 2 In accordance with the applicable policies (cf. DEV-03), changes are subjected to a risk assessment with regard to potential effects on the system components concerned and are categorised and prioritised accordingly. DEV-05 ¶ 1 Policies and instructions with technical and organisational safeguards for change management of system components of the cloud service within the scope of software deployment are documented, communicated and provided according to SP-01 with regard to the following aspects: Criteria for risk assessment, categorisation and prioritisation of changes and related requirements for the type and scope of testing to be performed, and necessary approvals for the development/implementation of the change and releases for deployment in the production environment by authorised personnel or system components; DEV-03 ¶ 1 Bullet 1] | Operational management | Testing | |
| Implement changes according to the change control program. CC ID 11776 [Policies and instructions with technical and organisational safeguards for change management of system components of the cloud service within the scope of software deployment are documented, communicated and provided according to SP-01 with regard to the following aspects: Criteria for risk assessment, categorisation and prioritisation of changes and related requirements for the type and scope of testing to be performed, and necessary approvals for the development/implementation of the change and releases for deployment in the production environment by authorised personnel or system components; DEV-03 ¶ 1 Bullet 1] | Operational management | Business Processes | |
| Provide audit trails for all approved changes. CC ID 13120 [{access rights management plan} System components and tools for source code management and software deployment that are used to make changes to system components of the cloud service in the production environment are subject to a role and rights concept according to IDM-01 and authorisation mechanisms. They must be configured in such a way that all changes are logged and can therefore be traced back to the individuals or system components executing them. DEV-07 ¶ 1 If cloud customers operate virtual machines or containers with the cloud service, the Cloud Service Provider must ensure the following aspects: If the Cloud Service Provider provides images of virtual machines or containers to the Cloud Customer, the Cloud Service Provider appropriately inform the Cloud Customer of the changes made to the previous version. PSS-11 ¶ 1 Bullet 2] | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a transition strategy. CC ID 17049 [Exit strategies are aligned with operational continuity plans and include the following aspects: Definition of success criteria for the transition; and SSO-05 ¶ 2 Bullet 3] | Operational management | Establish/Maintain Documentation | |
| Include monitoring requirements in the transition strategy. CC ID 17290 [Exit strategies are aligned with operational continuity plans and include the following aspects: Definition of indicators for monitoring the performance of services, which should initiate the withdrawal from the service if the results are unacceptable. SSO-05 ¶ 2 Bullet 4] | Operational management | Establish/Maintain Documentation | |
| Include resources in the transition strategy. CC ID 17289 [Exit strategies are aligned with operational continuity plans and include the following aspects: Definition and allocation of roles, responsibilities and sufficient resources to perform the activities for a transition; SSO-05 ¶ 2 Bullet 2] | Operational management | Establish/Maintain Documentation | |
| Include time requirements in the transition strategy. CC ID 17288 [Exit strategies are aligned with operational continuity plans and include the following aspects: Analysis of the potential costs, impacts, resources and timing of the transition of a purchased service to an alternative service provider or supplier; SSO-05 ¶ 2 Bullet 1] | Operational management | Establish/Maintain Documentation | |
| Prioritize deploying patches according to vulnerability risk metrics. CC ID 06796 [Guidelines and instructions with technical and organisational measures are documented, communicated and provided in accordance with SP-01 to ensure the timely identification and addressing of vulnerabilities in the system components used to provide the cloud service. These guidelines and instructions contain specifications regarding the following aspects: Prioritisation and implementation of actions to promptly remediate or mitigate identified vulnerabilities based on severity and according to defined timelines; and OPS-18 ¶ 1 Bullet 3 Available security patches are applied depending on the severity of the vulnerabilities, as determined based on the latest version of the Common Vulnerability Scoring System (CVSS): OPS-22 ¶ 2 {critical vulnerability} Available security patches are applied depending on the severity of the vulnerabilities, as determined based on the latest version of the Common Vulnerability Scoring System (CVSS): Critical (CVSS = 9.0 – 10.0), 3 hours; OPS-22 ¶ 2 Bullet 1 {high severity vulnerability} Available security patches are applied depending on the severity of the vulnerabilities, as determined based on the latest version of the Common Vulnerability Scoring System (CVSS): High (CVSS = 7.0 – 8.9), 3 days; OPS-22 ¶ 2 Bullet 2 {average severity vulnerability} Available security patches are applied depending on the severity of the vulnerabilities, as determined based on the latest version of the Common Vulnerability Scoring System (CVSS): Average (CVSS = 4.0 – 6.9), 1 month; and OPS-22 ¶ 2 Bullet 3 {low severity vulnerability} Available security patches are applied depending on the severity of the vulnerabilities, as determined based on the latest version of the Common Vulnerability Scoring System (CVSS): Low (CVSS = 0.1 – 3.9), 3 months. OPS-22 ¶ 2 Bullet 4] | Operational management | Business Processes | |
| Establish, implement, and maintain a software release policy. CC ID 00893 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain traceability documentation. CC ID 16388 [{be up-to-date} The documentation of the logical structure of the network used to provision or operate the Cloud Service, is traceable and up-to-date, in order to avoid administrative errors during live operation and to ensure timely recovery in the event of malfunctions in accordance with contractual obligations. The documentation shows how the subnets are allocated and how the network is zoned and segmented. In addition, the geographical locations in which the cloud customers' data is stored are indicated. COS-07 ¶ 1] | Operational management | Systems Design, Build, and Implementation | |
| Establish, implement, and maintain a Configuration Management program. CC ID 00867 | System hardening through configuration management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a configuration management plan. CC ID 01901 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include configuration management procedures in the configuration management plan. CC ID 14248 [The type and scope of the information provided will be based on the needs of subject matter experts of the cloud customers who set information security requirements, implement them or verify the implementation (e.g. IT, Compliance, Internal Audit). The information in the guidelines and recommendations for the secure use of the cloud service address the following aspects, where applicable to the cloud service: Instructions for secure configuration; PSS-01 ¶ 2 Bullet 1] | System hardening through configuration management | Establish/Maintain Documentation | |
| Establish, implement, and maintain system hardening procedures. CC ID 12001 | System hardening through configuration management | Establish/Maintain Documentation | |
| Configure automatic logoff to terminate the sessions based on inactivity according to organizational standards. CC ID 04490 [{be inactive} To protect confidentiality, availability, integrity and authenticity during interactions with the cloud service, a suitable session management system is used that at least corresponds to the state- of-the-art and is protected against known attacks. Mechanisms are implemented that invalidate a session after it has been detected as inactive. The inactivity can be detected by time measurement. In this case, the time interval can be configured by the Cloud Service Provider or – if technically possible – by the cloud customer. PSS-06 ¶ 1] | System hardening through configuration management | Configuration | |
| Install critical security updates and important security updates in a timely manner. CC ID 01696 [{acceptable use policy} Policies and instructions for acceptable use and safe handling of assets are documented, communicated and provided in accordance with SP-01 and address the following aspects of the asset lifecycle as applicable to the asset: Requirements for versions of software and images as well as application of patches; AM-02 ¶ 1 Bullet 5 {time frame} For each vulnerability, it is indicated whether software updates (e.g. patch, update) are available, when they will be rolled out and whether they will be deployed by the Cloud Service Provider, the cloud customer or both of them together. PSS-03 ¶ 4] | System hardening through configuration management | Configuration | |
| Include risk information when communicating critical security updates. CC ID 14948 | System hardening through configuration management | Communicate | |
| Configure Least Functionality and Least Privilege settings to organizational standards. CC ID 07599 [The rights profiles are suitable for enabling cloud users to manage access authorisations and permissions in accordance with the principle of least-privilege and how it is necessary for the performance of tasks ("need-to-know principle") and to implement the principle of functional separation between operational and controlling functions ("separation of duties"). PSS-08 ¶ 2 The rights profiles are suitable for enabling cloud users to manage access authorisations and permissions in accordance with the principle of least-privilege and how it is necessary for the performance of tasks ("need-to-know principle") and to implement the principle of functional separation between operational and controlling functions ("separation of duties"). PSS-08 ¶ 2] | System hardening through configuration management | Configuration | |
| Prohibit directories from having read/write capability, as appropriate. CC ID 16313 | System hardening through configuration management | Configuration | |
| Configure "Block public access (bucket settings)" to organizational standards. CC ID 15444 | System hardening through configuration management | Configuration | |
| Configure S3 Bucket Policies to organizational standards. CC ID 15431 | System hardening through configuration management | Configuration | |
| Configure "Allow suggested apps in Windows Ink Workspace" to organizational standards. CC ID 15417 | System hardening through configuration management | Configuration | |
| Configure "Allow Cloud Search" to organizational standards. CC ID 15416 | System hardening through configuration management | Configuration | |
| Configure "Configure Watson events" to organizational standards. CC ID 15414 | System hardening through configuration management | Configuration | |
| Configure "Allow Clipboard synchronization across devices" to organizational standards. CC ID 15412 | System hardening through configuration management | Configuration | |
| Configure "Prevent users from modifying settings" to organizational standards. CC ID 15411 | System hardening through configuration management | Configuration | |
| Configure "Prevent users from sharing files within their profile" to organizational standards. CC ID 15408 | System hardening through configuration management | Configuration | |
| Configure "Manage preview builds" to organizational standards. CC ID 15405 | System hardening through configuration management | Configuration | |
| Configure "Turn off Help Experience Improvement Program" to organizational standards. CC ID 15403 | System hardening through configuration management | Configuration | |
| Configure "Sign-in and lock last interactive user automatically after a restart" to organizational standards. CC ID 15402 | System hardening through configuration management | Configuration | |
| Configure "Hardened UNC Paths" to organizational standards. CC ID 15400 | System hardening through configuration management | Configuration | |
| Configure "Turn off all Windows spotlight features" to organizational standards. CC ID 15397 | System hardening through configuration management | Configuration | |
| Configure "Allow Message Service Cloud Sync" to organizational standards. CC ID 15396 | System hardening through configuration management | Configuration | |
| Configure "Configure local setting override for reporting to Microsoft MAPS" to organizational standards. CC ID 15394 | System hardening through configuration management | Configuration | |
| Configure "Configure Windows spotlight on lock screen" to organizational standards. CC ID 15391 | System hardening through configuration management | Configuration | |
| Configure "Do not suggest third-party content in Windows spotlight" to organizational standards. CC ID 15389 | System hardening through configuration management | Configuration | |
| Configure "Enable Font Providers" to organizational standards. CC ID 15388 | System hardening through configuration management | Configuration | |
| Configure "Disallow copying of user input methods to the system account for sign-in" to organizational standards. CC ID 15386 | System hardening through configuration management | Configuration | |
| Configure "Do not display network selection UI" to organizational standards. CC ID 15381 | System hardening through configuration management | Configuration | |
| Configure "Turn off KMS Client Online AVS Validation" to organizational standards. CC ID 15380 | System hardening through configuration management | Configuration | |
| Configure "Allow Telemetry" to organizational standards. CC ID 15378 | System hardening through configuration management | Configuration | |
| Configure "Allow users to enable online speech recognition services" to organizational standards. CC ID 15377 | System hardening through configuration management | Configuration | |
| Configure "Prevent enabling lock screen camera" to organizational standards. CC ID 15373 | System hardening through configuration management | Configuration | |
| Configure "Continue experiences on this device" to organizational standards. CC ID 15372 | System hardening through configuration management | Configuration | |
| Configure "Prevent the usage of OneDrive for file storage" to organizational standards. CC ID 15369 | System hardening through configuration management | Configuration | |
| Configure "Do not use diagnostic data for tailored experiences" to organizational standards. CC ID 15367 | System hardening through configuration management | Configuration | |
| Configure "Network access: Restrict clients allowed to make remote calls to SAM" to organizational standards. CC ID 15365 | System hardening through configuration management | Configuration | |
| Configure "Turn off Microsoft consumer experiences" to organizational standards. CC ID 15363 | System hardening through configuration management | Configuration | |
| Configure "Allow Use of Camera" to organizational standards. CC ID 15362 | System hardening through configuration management | Configuration | |
| Configure "Allow Online Tips" to organizational standards. CC ID 15360 | System hardening through configuration management | Configuration | |
| Configure "Turn off cloud optimized content" to organizational standards. CC ID 15357 | System hardening through configuration management | Configuration | |
| Configure "Apply UAC restrictions to local accounts on network logons" to organizational standards. CC ID 15356 | System hardening through configuration management | Configuration | |
| Configure "Toggle user control over Insider builds" to organizational standards. CC ID 15354 | System hardening through configuration management | Configuration | |
| Configure "Allow network connectivity during connected-standby (plugged in)" to organizational standards. CC ID 15353 | System hardening through configuration management | Configuration | |
| Configure "Do not show feedback notifications" to organizational standards. CC ID 15350 | System hardening through configuration management | Configuration | |
| Configure "Prevent enabling lock screen slide show" to organizational standards. CC ID 15349 | System hardening through configuration management | Configuration | |
| Configure "Turn off the advertising ID" to organizational standards. CC ID 15348 | System hardening through configuration management | Configuration | |
| Configure "Allow Windows Ink Workspace" to organizational standards. CC ID 15346 | System hardening through configuration management | Configuration | |
| Configure "Allow a Windows app to share application data between users" to organizational standards. CC ID 15345 | System hardening through configuration management | Configuration | |
| Configure "Turn off handwriting personalization data sharing" to organizational standards. CC ID 15339 | System hardening through configuration management | Configuration | |
| Configure virtual networks in accordance with the information security policy. CC ID 13165 [{physical separation} In the case of IaaS/PaaS, the secure segregation is ensured by physically separated networks or by means of strongly encrypted VLANs. For the definition of strong encryption, the BSI Technical Guideline TR-02102 must be considered. COS-06 ¶ 2] | System hardening through configuration management | Configuration | |
| Establish, implement, and maintain authenticators. CC ID 15305 | System hardening through configuration management | Technical Security | |
| Configure authenticators to comply with organizational standards. CC ID 06412 [The allocation of authentication information to access system components used to provide the cloud service to internal and external users of the cloud provider and system components that are involved in automated authorisation processes of the cloud provider is done in an orderly manner that ensures the confidentiality of the information. If passwords are used as authentication information, their confidentiality is ensured by the following procedures, as far as technically possible: When creating passwords, compliance with the password specifications (cf. IDM-09) is enforced as far as technically possible. IDM-08 ¶ 1 Bullet 2 System components in the Cloud Service Provider's area of responsibility that are used to provide the cloud service, authenticate users of the Cloud Service Provider's internal and external employees as well as system components that are involved in the Cloud Service Provider's automated authorisation processes. Access to the production environment requires two-factor or multi-factor authentication. Within the production environment, user authentication takes place through passwords, digitally signed certificates or procedures that achieve at least an equivalent level of security. If digitally signed certificates are used, administration is carried out in accordance with the Guideline for Key Management (cf. CRY-01). The password requirements are derived from a risk assessment and documented, communicated and provided in a password policy according to SP-01. Compliance with the requirements is enforced by the configuration of the system components, as far as technically possible. IDM-09 ¶ 1] | System hardening through configuration management | Configuration | |
| Configure the system to require new users to change their authenticator on first use. CC ID 05268 [The allocation of authentication information to access system components used to provide the cloud service to internal and external users of the cloud provider and system components that are involved in automated authorisation processes of the cloud provider is done in an orderly manner that ensures the confidentiality of the information. If passwords are used as authentication information, their confidentiality is ensured by the following procedures, as far as technically possible: Users can initially create the password themselves or must change an initial password when logging on to the system component for the first time. An initial password loses its validity after a maximum of 14 days. IDM-08 ¶ 1 Bullet 1 If passwords are used as authentication information for the cloud service, their confidentiality is ensured by the following procedures: Users can initially create the password themselves or must change an initial password when logging in to the cloud service for the first time. An initial password loses its validity after a maximum of 14 days. PSS-07 ¶ 1 Bullet 1] | System hardening through configuration management | Configuration | |
| Configure the system to encrypt authenticators. CC ID 06735 [The allocation of authentication information to access system components used to provide the cloud service to internal and external users of the cloud provider and system components that are involved in automated authorisation processes of the cloud provider is done in an orderly manner that ensures the confidentiality of the information. If passwords are used as authentication information, their confidentiality is ensured by the following procedures, as far as technically possible: The server-side storage takes place using cryptographically strong hash functions. IDM-08 ¶ 1 Bullet 4 If passwords are used as authentication information for the cloud service, their confidentiality is ensured by the following procedures: The server-side storage takes place using state-of-the-art cryptographically strong hash functions in combination with at least 32-bit long salt values. PSS-07 ¶ 1 Bullet 4] | System hardening through configuration management | Configuration | |
| Configure the system to refrain from specifying the type of information used as password hints. CC ID 13783 | System hardening through configuration management | Configuration | |
| Notify affected parties to keep authenticators confidential. CC ID 06787 [{maintain} {confidentiality} The users sign a declaration in which they assure that they treat personal (or shared) authentication information confidentially and keep it exclusively for themselves (within the members of the group). IDM-08 ¶ 3] | System hardening through configuration management | Behavior | |
| Configure user accounts. CC ID 07036 | System hardening through configuration management | Configuration | |
| Employ multifactor authentication for accounts with administrative privilege. CC ID 12496 [A role and rights concept based on the business and security requirements of the Cloud Service Provider as well as a policy for managing user accounts and access rights for internal and external employees of the Cloud Service Provider and system components that have a role in automated authorisation processes of the Cloud Service Provider are documented, communicated and made available according to SP-01: Two-factor or multi-factor authentication for users with privileged access; and IDM-01 ¶ 1 Bullet 9 For privileged users, IT components or applications, these authentication mechanisms are enforced. PSS-05 ¶ 3] | System hardening through configuration management | Technical Security | |
| Establish, implement, and maintain an account lockout policy. CC ID 01709 [User accounts of internal and external employees of the Cloud Service Provider as well as for system components involved in automated authorisation processes of the Cloud Service Provider are automatically locked if they have not been used for a period of two months. Approval from authorised personnel or system components are required to unlock these accounts. IDM-03 ¶ 1] | System hardening through configuration management | Establish/Maintain Documentation | |
| Review and restrict network addresses and network protocols. CC ID 01518 [Policies and instructions with technical and organisational safeguards for encryption procedures and key management are documented, communicated and provided according to SP-01, in which the following aspects are described: Usage of strong encryption procedures and secure network protocols that correspond to the state-of-the-art; CRY-01 ¶ 1 Bullet 1 {insecure protocol} At specified intervals, the business justification for using all services, protocols, and ports is reviewed. The review also includes the justifications for compensatory measures for the use of protocols that are considered insecure. COS-03 ¶ 4] | System hardening through configuration management | Configuration | |
| Establish, implement, and maintain a network addressing plan. CC ID 16399 | System hardening through configuration management | Establish/Maintain Documentation | |
| Define the location requirements for network elements and network devices. CC ID 16379 | System hardening through configuration management | Process or Activity | |
| Configure Network Address Translation to organizational standards. CC ID 16395 | System hardening through configuration management | Configuration | |
| Enable or disable tunneling, as necessary. CC ID 15235 | System hardening through configuration management | Configuration | |
| Disable Pre-boot eXecution Environment unless it is absolutely necessary. CC ID 04819 | System hardening through configuration management | Configuration | |
| Configure the Access Control List to restrict connections between untrusted networks and any system that holds restricted data or restricted information. CC ID 06077 [{trusted network} A distinction is made between trusted and untrusted networks. Based on a risk assessment, these are separated into different security zones for internal and external network areas (and DMZ, if applicable). Physical and virtualised network environments are designed and configured to restrict and monitor the established connection to trusted or untrusted networks according to the defined security requirements. COS-03 ¶ 1] | System hardening through configuration management | Configuration | |
| Configure wireless communication to be encrypted using strong cryptography. CC ID 06078 [Communication takes place through standardised communication protocols that ensure the confidentiality and integrity of the transmitted information according to its protection requirements. Communication over untrusted networks is encrypted according to CRY-02. PI-01 ¶ 2] | System hardening through configuration management | Configuration | |
| Verify the organization has Emergency Power Supplies available for the systems. CC ID 01912 [{power supply facility} {emergency power solution} Measures to prevent the failure of the technical supply facilities required for the operation of system components with which information from cloud customers is processed, are documented and set up in accordance with the security requirements of the Cloud Service Provider (cf. PS-01 Security Concept) with respect to the following aspects: Use of appropriately sized uninterruptible power supplies (UPS) and emergency power systems (NEA), designed to ensure that all data remains undamaged in the event of a power failure. The functionality of UPS and NEA is checked at least annually by suitable tests and exercises (cf. BCM-04 – Verification, updating and testing of business continuity). PS-06 ¶ 1(b)] | System hardening through configuration management | Systems Continuity | |
| Verify enough emergency power is available for a graceful shutdown if the primary power system fails. CC ID 01913 | System hardening through configuration management | Systems Continuity | |
| Verify emergency power continuity procedures are in place to transfer power to a secondary source if the primary power system fails. CC ID 01914 | System hardening through configuration management | Systems Continuity | |
| Enable or disable the Uninterruptible Power Supply service, as appropriate. CC ID 06037 | System hardening through configuration management | Configuration | |
| Establish, implement, and maintain virtualization configuration settings. CC ID 07110 | System hardening through configuration management | Configuration | |
| Implement the security features of hypervisor to protect virtual machines. CC ID 12176 [{dedicated network} There are separate networks for the administrative management of the infrastructure and for the operation of management consoles. These networks are logically or physically separated from the cloud customer's network and protected from unauthorised access by multi-factor authentication (cf. IDM-09). Networks used by the Cloud Service Provider to migrate or create virtual machines are also physically or logically separated from other networks. COS-05 ¶ 1] | System hardening through configuration management | Configuration | |
| Configure network protection settings to organizational standards. CC ID 07601 [System components in the production environment used to provide the cloud service under the Cloud Service Provider's responsibility are hardened according to generally accepted industry standards. The hardening requirements for each system component are documented. OPS-23 ¶ 1 Ensure the protection of information in networks and the corresponding information processing systems Section 5.9 Objective] | System hardening through configuration management | Configuration | |
| Configure the "CNI" plugin to organizational standards. CC ID 14659 | System hardening through configuration management | Configuration | |
| Configure the "data-path-addr" argument to organizational standards. CC ID 14546 | System hardening through configuration management | Configuration | |
| Configure the "advertise-addr" argument to organizational standards. CC ID 14544 | System hardening through configuration management | Configuration | |
| Configure the "nftables" to organizational standards. CC ID 15320 | System hardening through configuration management | Configuration | |
| Configure the "iptables" to organizational standards. CC ID 14463 | System hardening through configuration management | Configuration | |
| Configure the "ip6tables" settings to organizational standards. CC ID 15322 | System hardening through configuration management | Configuration | |
| Configure the "insecure registries" to organizational standards. CC ID 14455 | System hardening through configuration management | Configuration | |
| Configure the "MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)" to organizational standards. CC ID 07602 | System hardening through configuration management | Configuration | |
| Configure the "MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes" to organizational standards. CC ID 07648 | System hardening through configuration management | Configuration | |
| Configure the "net-host" argument to organizational standards. CC ID 14529 | System hardening through configuration management | Configuration | |
| Configure the "firewalld" to organizational standards. CC ID 15321 | System hardening through configuration management | Configuration | |
| Configure the "network bridge" to organizational standards. CC ID 14501 | System hardening through configuration management | Configuration | |
| Configure the "Windows Firewall: Domain: Firewall state" to organizational standards. CC ID 07667 | System hardening through configuration management | Configuration | |
| Configure the "MSS: (Hidden) Hide Computer From the Browse List (not recommended except for highly secure environments)" to organizational standards. CC ID 07680 | System hardening through configuration management | Configuration | |
| Configure the "Windows Firewall: Public: Outbound connections" to organizational standards. CC ID 07695 | System hardening through configuration management | Configuration | |
| Configure the "MSS: (NoDefaultExempt) Configure IPSec exemptions for various types of network traffic." to organizational standards CC ID 07703 | System hardening through configuration management | Configuration | |
| Configure the "MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)" to organizational standards. CC ID 07733 | System hardening through configuration management | Configuration | |
| Configure the "publish" argument to organizational standards. CC ID 14500 | System hardening through configuration management | Configuration | |
| Configure the "Windows Firewall: Private: Inbound connections" to organizational standards. CC ID 07747 | System hardening through configuration management | Configuration | |
| Configure the "Windows Firewall: Private: Apply local firewall rules" to organizational standards. CC ID 07777 | System hardening through configuration management | Configuration | |
| Configure the "MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers" to organizational standards. CC ID 07801 | System hardening through configuration management | Configuration | |
| Configure the "Windows Firewall: Private: Firewall state" to organizational standards. CC ID 07803 | System hardening through configuration management | Configuration | |
| Configure the "Windows Firewall: Domain: Apply local connection security rules" to organizational standards. CC ID 07805 | System hardening through configuration management | Configuration | |
| Configure the "Windows Firewall: Domain: Apply local firewall rules" to organizational standards. CC ID 07833 | System hardening through configuration management | Configuration | |
| Configure the "Windows Firewall: Public: Display a notification" to organizational standards. CC ID 07836 | System hardening through configuration management | Configuration | |
| Configure the "Windows Firewall: Domain: Outbound connections" to organizational standards. CC ID 07839 | System hardening through configuration management | Configuration | |
| Configure the "Windows Firewall: Public: Apply local firewall rules" to organizational standards. CC ID 07850 | System hardening through configuration management | Configuration | |
| Configure the "Windows Firewall: Domain: Inbound connections" to organizational standards. CC ID 07851 | System hardening through configuration management | Configuration | |
| Configure the "Windows Firewall: Private: Outbound connections" to organizational standards. CC ID 07858 | System hardening through configuration management | Configuration | |
| Configure the "Windows Firewall: Public: Firewall state" to organizational standards. CC ID 07861 | System hardening through configuration management | Configuration | |
| Configure the "Windows Firewall: Domain: Display a notification" to organizational standards. CC ID 07868 | System hardening through configuration management | Configuration | |
| Configure the "Windows Firewall: Public: Inbound connections" to organizational standards. CC ID 07872 | System hardening through configuration management | Configuration | |
| Configure the "Windows Firewall: Public: Allow unicast response" to organizational standards. CC ID 07873 | System hardening through configuration management | Configuration | |
| Configure the "Windows Firewall: Private: Allow unicast response" to organizational standards. CC ID 07885 | System hardening through configuration management | Configuration | |
| Configure the "Windows Firewall: Public: Apply local connection security rules" to organizational standards. CC ID 07890 | System hardening through configuration management | Configuration | |
| Configure the "Windows Firewall: Domain: Allow unicast response" to organizational standards. CC ID 07893 | System hardening through configuration management | Configuration | |
| Configure the "Windows Firewall: Private: Apply local connection security rules" to organizational standards. CC ID 07896 | System hardening through configuration management | Configuration | |
| Configure the "Windows Firewall: Private: Display a notification" to organizational standards. CC ID 07902 | System hardening through configuration management | Configuration | |
| Configure the "Windows Firewall: Protect all network connections" to organizational standards. CC ID 08161 | System hardening through configuration management | Configuration | |
| Configure the "Windows Firewall: Allow inbound UPnP framework exceptions" to organizational standards. CC ID 08170 | System hardening through configuration management | Configuration | |
| Configure the "Windows Firewall: Allow local program exceptions" to organizational standards. CC ID 08173 | System hardening through configuration management | Configuration | |
| Configure the "Windows Firewall: Do not allow exceptions" to organizational standards. CC ID 08184 | System hardening through configuration management | Configuration | |
| Configure the "MSS: (DisableSavePassword) Prevent the dial-up password from being saved (recommended)" to organizational standards. CC ID 08208 | System hardening through configuration management | Configuration | |
| Configure the "MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways (could lead to DoS)" to organizational standards. CC ID 08210 | System hardening through configuration management | Configuration | |
| Configure the "Windows Firewall: Allow local port exceptions" to organizational standards. CC ID 08214 | System hardening through configuration management | Configuration | |
| Configure the "Windows Firewall: Define inbound port exceptions" to organizational standards. CC ID 08215 | System hardening through configuration management | Configuration | |
| Configure the "Windows Firewall: Prohibit unicast response to multicast or broadcast requests" to organizational standards. CC ID 08217 | System hardening through configuration management | Configuration | |
| Configure the "Windows Firewall: Prohibit notifications" to organizational standards. CC ID 08249 | System hardening through configuration management | Configuration | |
| Configure the "Windows Firewall: Allow inbound file and printer sharing exception" to organizational standards. CC ID 08275 | System hardening through configuration management | Configuration | |
| Configure the "MSS: (TcpMaxConnectResponseRetransmissions) SYN-ACK retransmissions when a connection request is not acknowledged" to organizational standards. CC ID 08279 | System hardening through configuration management | Configuration | |
| Configure the "Windows Firewall: Define inbound program exceptions" to organizational standards. CC ID 08282 | System hardening through configuration management | Configuration | |
| Configure the "Windows Firewall: Allow ICMP exceptions" to organizational standards. CC ID 08289 | System hardening through configuration management | Configuration | |
| Configure the "Windows Firewall: Allow inbound Remote Desktop exceptions" to organizational standards. CC ID 08295 | System hardening through configuration management | Configuration | |
| Configure the "Allow unencrypted traffic" to organizational standards. CC ID 08383 | System hardening through configuration management | Configuration | |
| Configure the "Windows Firewall: Private: Logging: Log successful connections" to organizational standards. CC ID 08466 | System hardening through configuration management | Configuration | |
| Configure the "Windows Firewall: Public: Logging: Size limit (KB)" to organizational standards. CC ID 08494 | System hardening through configuration management | Configuration | |
| Configure the "Windows Firewall: Domain: Logging: Log successful connections" to organizational standards. CC ID 08544 | System hardening through configuration management | Configuration | |
| Configure the "Windows Firewall: Private: Logging: Name" to organizational standards. CC ID 08595 | System hardening through configuration management | Configuration | |
| Configure Logging settings in accordance with organizational standards. CC ID 07611 | System hardening through configuration management | Configuration | |
| Configure the storage parameters for all logs. CC ID 06330 [{be immutable} If non-modifiable ("immutable") images are used, compliance with the hardening specifications as defined in the hardening requirements is checked upon creation of the images. Configuration and log files regarding the continuous availability of the images are retained. OPS-23 ¶ 2] | System hardening through configuration management | Configuration | |
| Configure the event log settings for specific Operating System functions. CC ID 06337 | System hardening through configuration management | Configuration | |
| Generate an alert when an audit log failure occurs. CC ID 06737 [The Cloud Service Provider monitors the system components for logging and monitoring in its area of responsibility. Failures are automatically and promptly reported to the Cloud Service Provider's responsible departments so that these can assess the failures and take required action. OPS-17 ¶ 1] | System hardening through configuration management | Configuration | |
| Configure Key, Certificate, Password, Authentication and Identity Management settings in accordance with organizational standards. CC ID 07621 | System hardening through configuration management | Configuration | |
| Configure Identity and Access Management policies to organizational standards. CC ID 15422 [Specified procedures for granting and modifying user accounts and access rights for internal and external employees of the Cloud Service Provider as well as for system components involved in automated authorisation processes of the Cloud Service Provider ensure compliance with the role and rights concept as well as the policy for managing user accounts and access rights. IDM-02 ¶ 1] | System hardening through configuration management | Configuration | |
| Configure the "Maximum password age" to organizational standards. CC ID 07688 [The allocation of authentication information to access system components used to provide the cloud service to internal and external users of the cloud provider and system components that are involved in automated authorisation processes of the cloud provider is done in an orderly manner that ensures the confidentiality of the information. If passwords are used as authentication information, their confidentiality is ensured by the following procedures, as far as technically possible: Users can initially create the password themselves or must change an initial password when logging on to the system component for the first time. An initial password loses its validity after a maximum of 14 days. IDM-08 ¶ 1 Bullet 1 If passwords are used as authentication information for the cloud service, their confidentiality is ensured by the following procedures: Users can initially create the password themselves or must change an initial password when logging in to the cloud service for the first time. An initial password loses its validity after a maximum of 14 days. PSS-07 ¶ 1 Bullet 1] | System hardening through configuration management | Configuration | |
| Configure the "Minimum password length" to organizational standards. CC ID 07711 [{password length} If passwords are used as authentication information for the cloud service, their confidentiality is ensured by the following procedures: When creating passwords, compliance with the length and complexity requirements of the Cloud Service Provider (cf. IDM-09) or the cloud customer is technically enforced. PSS-07 ¶ 1 Bullet 2] | System hardening through configuration management | Configuration | |
| Configure the "Password must meet complexity requirements" to organizational standards. CC ID 07743 [{password length} If passwords are used as authentication information for the cloud service, their confidentiality is ensured by the following procedures: When creating passwords, compliance with the length and complexity requirements of the Cloud Service Provider (cf. IDM-09) or the cloud customer is technically enforced. PSS-07 ¶ 1 Bullet 2] | System hardening through configuration management | Configuration | |
| Configure security and protection software to enable automatic updates. CC ID 11945 [System components under the Cloud Service Provider's responsibility that are used to deploy the cloud service in the production environment are configured with malware protection according to the policies and instructions. If protection programs are set up with signature and behaviour-based malware detection and removal, these protection programs are updated at least daily. OPS-05 ¶ 1] | System hardening through configuration management | Configuration | |
| Configure initial system hardening according to the secure configuration baseline. CC ID 13824 [System components in the production environment used to provide the cloud service under the Cloud Service Provider's responsibility are hardened according to generally accepted industry standards. The hardening requirements for each system component are documented. OPS-23 ¶ 1 {acceptable use policy} Policies and instructions for acceptable use and safe handling of assets are documented, communicated and provided in accordance with SP-01 and address the following aspects of the asset lifecycle as applicable to the asset: Secure configuration of mechanisms for error handling, logging, encryption, authentication and authorisation; AM-02 ¶ 1 Bullet 4] | System hardening through configuration management | Configuration | |
| Configure the system's password field with a unique default password. CC ID 13825 | System hardening through configuration management | Configuration | |
| Create a hardened image of the baseline configuration to be used for building new systems. CC ID 07063 [If cloud customers operate virtual machines or containers with the cloud service, the Cloud Service Provider must ensure the following aspects: In addition, these images provided by the Cloud Service Provider are hardened according to generally accepted industry standards. PSS-11 ¶ 1 Bullet 3] | System hardening through configuration management | Configuration | |
| Store master images on securely configured servers. CC ID 12089 [{be immutable} If non-modifiable ("immutable") images are used, compliance with the hardening specifications as defined in the hardening requirements is checked upon creation of the images. Configuration and log files regarding the continuous availability of the images are retained. OPS-23 ¶ 2] | System hardening through configuration management | Technical Security | |
| Store records and data in accordance with organizational standards. CC ID 16439 | Records management | Data and Information Management | |
| Remove dormant data from systems, as necessary. CC ID 13726 | Records management | Process or Activity | |
| Store personal data that is retained for long periods after use on a separate server or media. CC ID 12314 | Records management | Data and Information Management | |
| Determine how long to keep records and logs before disposing them. CC ID 11661 [The requirements for the logging and monitoring of events and for the secure handling of metadata are implemented by technically supported procedures with regard to the following restrictions: Retention for the specified period; and OPS-12 ¶ 1 Bullet 2] | Records management | Process or Activity | |
| Retain records in accordance with applicable requirements. CC ID 00968 [{appropriate format} The Cloud Service Provider retains the generated log data and keeps these in an appropriate, unchangeable and aggregated form, regardless of the source of such data, so that a central, authorised evaluation of the data is possible. Log data is deleted if it is no longer required for the purpose for which they were collected. OPS-14 ¶ 1 The Cloud Service Provider has established policies and instructions that govern the logging and monitoring of events on system components within its area of responsibility. These policies and instructions are documented, communicated and provided according to SP-01 with respect to the following aspects: Information regarding the purpose and retention period of the logs; OPS-10 ¶ 1 Bullet 3] | Records management | Records Management | |
| Define each system's disposition requirements for records and logs. CC ID 11651 [{appropriate format} The Cloud Service Provider retains the generated log data and keeps these in an appropriate, unchangeable and aggregated form, regardless of the source of such data, so that a central, authorised evaluation of the data is possible. Log data is deleted if it is no longer required for the purpose for which they were collected. OPS-14 ¶ 1] | Records management | Process or Activity | |
| Establish, implement, and maintain records disposition procedures. CC ID 00971 [The requirements for the logging and monitoring of events and for the secure handling of metadata are implemented by technically supported procedures with regard to the following restrictions: Deletion when further retention is no longer necessary for the purpose of collection. OPS-12 ¶ 1 Bullet 3] | Records management | Establish/Maintain Documentation | |
| Require authorized individuals be present to witness records disposition. CC ID 12313 | Records management | Data and Information Management | |
| Remove and/or destroy records according to the records' retention event and retention period schedule. CC ID 06621 [The logged information is protected from unauthorised access and modification and can be deleted by the Cloud Customer. PSS-04 ¶ 3] | Records management | Records Management | |
| Include the sanitization method in the disposal record. CC ID 17073 | Records management | Log Management | |
| Include time information in the disposal record. CC ID 17072 | Records management | Log Management | |
| Include the name of the signing officer in the disposal record. CC ID 15710 | Records management | Establish/Maintain Documentation | |
| Disseminate and communicate disposal records to interested personnel and affected parties. CC ID 16891 | Records management | Communicate | |
| Establish, implement, and maintain records management procedures. CC ID 11619 | Records management | Establish/Maintain Documentation | |
| Validate transactions using identifiers and credentials. CC ID 13203 | Records management | Technical Security | |
| Establish, implement, and maintain a system storage log. CC ID 13532 | Records management | Records Management | |
| Establish, implement, and maintain a system input log. CC ID 13531 | Records management | Establish/Maintain Documentation | |
| Log records as being received into the recordkeeping system. CC ID 11696 | Records management | Records Management | |
| Log the number of non-routine items received into the recordkeeping system. CC ID 11706 | Records management | Log Management | |
| Log performance monitoring into the recordkeeping system. CC ID 11724 [The top management of the Cloud Service Provider is regularly informed about the information security performance within the scope of the ISMS in order to ensure its continued suitability, adequacy and effectiveness. The information is included in the management review of the ISMS at is performed at least once a year. COM-04 ¶ 1] | Records management | Log Management | |
| Establish, implement, and maintain security label procedures. CC ID 06747 [Assets are classified and, if possible, labelled. Classification and labelling of an asset reflect the protection needs of the information it processes, stores, or transmits. AM-06 ¶ 1] | Records management | Establish/Maintain Documentation | |
| Initiate the System Development Life Cycle planning phase. CC ID 06266 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Establish, implement, and maintain system design principles and system design guidelines. CC ID 01057 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Establish, implement, and maintain security design principles. CC ID 14718 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include secure failure and recovery of systems or system components in the security design principles. CC ID 14744 [Ensure proper and regular operation, including appropriate measures for planning and monitoring capacity, protection against malware, logging and monitoring events, and dealing with vulnerabilities, malfunctions and failures. Section 5.6 Objective] | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Establish and maintain System Development Life Cycle documentation. CC ID 12079 [{secure development} The policies and instructions contain guidelines for the entire life cycle of the cloud service and are based on recognised standards and methods with regard to the following aspects: DEV-01 ¶ 2] | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include a technology refresh schedule in the system development life cycle documentation. CC ID 14759 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Design the Software as a Service infrastructure to segment cloud customer user access. CC ID 12347 [Ensure the protection of information that service providers or suppliers of the Cloud Service Provider (subcontractors) can access and monitor the agreed services and security requirements. Section 5.12 Objective] | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Obtain approval from appropriate parties for system design projects. CC ID 01033 [{acceptable use policy} Policies and instructions for acceptable use and safe handling of assets are documented, communicated and provided in accordance with SP-01 and address the following aspects of the asset lifecycle as applicable to the asset: Approval procedures for acquisition, commissioning, maintenance, decommissioning, and disposal by authorised personnel or system components; AM-02 ¶ 1 Bullet 1] | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Separate the design and development environment from the production environment. CC ID 06088 [Production environments are physically or logically separated from test or development environments to prevent unauthorised access to cloud customer data, the spread of malware, or changes to system components. Data contained in the production environments is not used in test or development environments in order not to compromise their confidentiality. DEV-10 ¶ 1] | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Implement security controls in development endpoints. CC ID 16389 | Systems design, build, and implementation | Testing | |
| Initiate the System Development Life Cycle development phase or System Development Life Cycle build phase. CC ID 06267 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Develop systems in accordance with the system design specifications and system design standards. CC ID 01094 [{secure development} The policies and instructions contain guidelines for the entire life cycle of the cloud service and are based on recognised standards and methods with regard to the following aspects: Security in operation (reaction to identified faults and vulnerabilities). DEV-01 ¶ 2 Bullet 3 Policies and instructions with technical and organisational measures for the secure development of the cloud service are documented, communicated and provided in accordance with SP-01. DEV-01 ¶ 1] | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Establish, implement, and maintain outsourced development procedures. CC ID 01141 [In the case of outsourced development of the cloud service (or individual system components), specifications regarding the following aspects are contractually agreed between the Cloud Service Provider and the outsourced development contractor: Security in software development (requirements, design, implementation, tests and verifications) in accordance with recognised standards and methods; DEV-02 ¶ 1 Bullet 1] | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Protect stored manufacturing components prior to assembly. CC ID 12248 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Store manufacturing components in a controlled access area. CC ID 12256 | Systems design, build, and implementation | Physical and Environmental Protection | |
| Develop new products based on best practices. CC ID 01095 [{secure development} The policies and instructions contain guidelines for the entire life cycle of the cloud service and are based on recognised standards and methods with regard to the following aspects: Security in Software Development (Requirements, Design, Implementation, Testing and Verification); DEV-01 ¶ 2 Bullet 1] | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Document the system architecture in the system design specification. CC ID 12287 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Establish and maintain Application Programming Interface documentation. CC ID 12203 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include configuration options in the Application Programming Interface documentation. CC ID 12205 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Establish and maintain the system design specification in a manner that is clear and easy to read. CC ID 12286 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include security requirements in the system design specification. CC ID 06826 [Ensure information security in the development cycle of information systems. Section 5.11 Objective] | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Establish, implement, and maintain access control procedures for the test environment that match those of the production environment. CC ID 06793 [Access to the non-production environment requires two-factor or multi-factor authentication. Within the non-production environment, users are authenticated using passwords, digitally signed certificates, or procedures that provide at least an equivalent level of security. IDM-09 ¶ 2] | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Define the data elements to be stored on identification cards or badges in the identification card or badge architectural designs. CC ID 15427 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include security measures in the identification card or badge architectural designs. CC ID 15423 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Establish, implement, and maintain a CAPTCHA design specification. CC ID 17092 | Systems design, build, and implementation | Technical Security | |
| Establish, implement, and maintain payment card architectural designs. CC ID 16132 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Nest elements appropriately in website content using markup languages. CC ID 15154 | Systems design, build, and implementation | Configuration | |
| Use valid HTML or other markup languages. CC ID 15153 | Systems design, build, and implementation | Configuration | |
| Establish, implement, and maintain human interface guidelines. CC ID 08662 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Ensure users can navigate content. CC ID 15163 | Systems design, build, and implementation | Configuration | |
| Create text content using language that is readable and is understandable. CC ID 15167 | Systems design, build, and implementation | Configuration | |
| Ensure user interface components are operable. CC ID 15162 | Systems design, build, and implementation | Configuration | |
| Implement mechanisms to review, confirm, and correct user submissions. CC ID 15160 | Systems design, build, and implementation | Configuration | |
| Allow users to reverse submissions. CC ID 15168 | Systems design, build, and implementation | Configuration | |
| Provide a mechanism to control audio. CC ID 15158 | Systems design, build, and implementation | Configuration | |
| Allow modification of style properties without loss of content or functionality. CC ID 15156 | Systems design, build, and implementation | Configuration | |
| Programmatically determine the name and role of user interface components. CC ID 15148 | Systems design, build, and implementation | Configuration | |
| Programmatically determine the language of content. CC ID 15137 | Systems design, build, and implementation | Configuration | |
| Provide a mechanism to dismiss content triggered by mouseover or keyboard focus. CC ID 15164 | Systems design, build, and implementation | Configuration | |
| Configure repeated navigational mechanisms to occur in the same order unless overridden by the user. CC ID 15166 | Systems design, build, and implementation | Configuration | |
| Refrain from activating a change of context when changing the setting of user interface components, as necessary. CC ID 15165 | Systems design, build, and implementation | Configuration | |
| Provide users a mechanism to remap keyboard shortcuts. CC ID 15133 | Systems design, build, and implementation | Configuration | |
| Identify the components in a set of web pages that consistently have the same functionality. CC ID 15116 | Systems design, build, and implementation | Process or Activity | |
| Provide captions for live audio content. CC ID 15120 | Systems design, build, and implementation | Configuration | |
| Programmatically determine the purpose of each data field that collects information from the user. CC ID 15114 | Systems design, build, and implementation | Configuration | |
| Provide labels or instructions when content requires user input. CC ID 15077 | Systems design, build, and implementation | Configuration | |
| Allow users to control auto-updating information, as necessary. CC ID 15159 | Systems design, build, and implementation | Configuration | |
| Use headings on all web pages and labels in all content that describes the topic or purpose. CC ID 15070 | Systems design, build, and implementation | Configuration | |
| Display website content triggered by mouseover or keyboard focus. CC ID 15152 | Systems design, build, and implementation | Configuration | |
| Ensure the purpose of links can be determined through the link text. CC ID 15157 | Systems design, build, and implementation | Configuration | |
| Use a unique title that describes the topic or purpose for each web page. CC ID 15069 | Systems design, build, and implementation | Configuration | |
| Allow the use of time limits, as necessary. CC ID 15155 | Systems design, build, and implementation | Configuration | |
| Include mechanisms for changing authenticators in human interface guidelines. CC ID 14944 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Refrain from activating a change of context in a user interface component. CC ID 15115 | Systems design, build, and implementation | Configuration | |
| Include functionality for managing user data in human interface guidelines. CC ID 14928 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Establish and maintain User Interface documentation. CC ID 12204 [The type and scope of the documentation on the interfaces is geared to the needs of the cloud customers' subject matter experts in order to enable the use of these interfaces. The information is maintained in such a way that it is applicable for the cloud service's version which is intended for productive use. PI-01 ¶ 3 The type and scope of the documentation on the interfaces is geared to the needs of the cloud customers' subject matter experts in order to enable the use of these interfaces. The information is maintained in such a way that it is applicable for the cloud service's version which is intended for productive use. PI-01 ¶ 3] | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include data encryption information in the system design specification. CC ID 12209 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include records disposition information in the system design specification. CC ID 12208 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include how data is managed in each module in the system design specification. CC ID 12207 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include identifying restricted data in the system design specification. CC ID 12206 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Disseminate and communicate the system design specification to all interested personnel and affected parties. CC ID 15468 | Systems design, build, and implementation | Communicate | |
| Implement data controls when developing systems. CC ID 15302 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Require successful authentication before granting access to system functionality via network interfaces. CC ID 14926 | Systems design, build, and implementation | Technical Security | |
| Require dual authentication when switching out of PCI mode in the hardware security module. CC ID 12274 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include an indicator to designate when the hardware security module is in PCI mode. CC ID 12273 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Design the random number generator to generate random numbers that are unpredictable. CC ID 12255 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Design the hardware security module to enforce the separation between applications. CC ID 12254 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Protect sensitive data when transiting sensitive services in the hardware security module. CC ID 12253 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Design the hardware security module to automatically clear its internal buffers of sensitive information prior to reuse of the buffer. CC ID 12233 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Design the hardware security module to automatically clear its internal buffers of sensitive information after it recovers from an error condition. CC ID 12252 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Design the hardware security module to automatically clear its internal buffers of sensitive information when it has timed out. CC ID 12251 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Design the hardware security module to erase sensitive data when compromised. CC ID 12275 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Restrict key-usage information for cryptographic keys in the hardware security module. CC ID 12232 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Prevent cryptographic keys in the hardware security module from making unauthorized changes to data. CC ID 12231 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include in the system documentation methodologies for authenticating the hardware security module. CC ID 12258 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Protect sensitive information within the hardware security module from unauthorized changes. CC ID 12225 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Prohibit sensitive functions from working outside of protected areas of the hardware security module. CC ID 12224 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include the environmental requirements in the acceptable use policy for the hardware security module. CC ID 12263 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include device identification in the acceptable use policy for the hardware security module. CC ID 12262 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include device functionality in the acceptable use policy for the hardware security module. CC ID 12261 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include administrative responsibilities in the acceptable use policy for the hardware security module. CC ID 12260 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Install secret information into the hardware security module during manufacturing. CC ID 12249 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Install secret information into the hardware security module so that it can only be verified by the initial-key-loading facility. CC ID 12272 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Install secret information under dual control into the hardware security module. CC ID 12257 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Establish, implement, and maintain secure update mechanisms. CC ID 14923 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Implement cryptographic mechanisms to authenticate software updates before installation. CC ID 14925 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Automate secure update mechanisms, as necessary. CC ID 14933 [Assets provided by the Cloud Service Provider, which must be installed, provided or operated by cloud users within their area of responsibility, are equipped with automatic update mechanisms. After approval by the respective cloud user, software updates can be rolled out in such a way that they can be distributed to all affected users without human interaction. PSS-03 ¶ 5] | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include the source code in the implementation representation document. CC ID 13089 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include the hardware schematics in the implementation representation document. CC ID 13098 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Run sensitive workloads in Trusted Execution Environments. CC ID 16853 | Systems design, build, and implementation | Process or Activity | |
| Design the privacy architecture. CC ID 14671 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Review and update the privacy architecture, as necessary. CC ID 14674 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Convert workflow charts and diagrams into machine readable code. CC ID 14865 | Systems design, build, and implementation | Process or Activity | |
| Implement software development version controls. CC ID 01098 [{acceptable use policy} Policies and instructions for acceptable use and safe handling of assets are documented, communicated and provided in accordance with SP-01 and address the following aspects of the asset lifecycle as applicable to the asset: Requirements for versions of software and images as well as application of patches; AM-02 ¶ 1 Bullet 5] | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Protect source code in accordance with organizational requirements. CC ID 16855 | Systems design, build, and implementation | Technical Security | |
| Digitally sign software components. CC ID 16490 | Systems design, build, and implementation | Process or Activity | |
| Develop new products based on secure coding techniques. CC ID 11733 [{secure development} The policies and instructions contain guidelines for the entire life cycle of the cloud service and are based on recognised standards and methods with regard to the following aspects: Security in software deployment (including continuous delivery); and DEV-01 ¶ 2 Bullet 2] | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Protect applications from insufficient anti-automation through secure coding techniques in source code. CC ID 16854 | Systems design, build, and implementation | Technical Security | |
| Protect applications from attacks on business logic through secure coding techniques in source code. CC ID 15472 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Protect applications from format string attacks through secure coding techniques in source code. CC ID 17091 | Systems design, build, and implementation | Technical Security | |
| Protect applications from XML external entities through secure coding techniques in source code. CC ID 14806 | Systems design, build, and implementation | Technical Security | |
| Protect applications from insecure deserialization through secure coding techniques in source code. CC ID 14805 | Systems design, build, and implementation | Technical Security | |
| Refrain from hard-coding security parameters in source code. CC ID 14917 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Refrain from hard-coding authenticators in source code. CC ID 11829 | Systems design, build, and implementation | Technical Security | |
| Refrain from hard-coding cryptographic keys in source code. CC ID 12307 | Systems design, build, and implementation | Technical Security | |
| Protect applications from attacks on data and data structures through secure coding techniques in source code. CC ID 15482 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Configure software development tools in accordance with organizational standards. CC ID 16387 | Systems design, build, and implementation | Configuration | |
| Establish, implement, and maintain system testing procedures. CC ID 11744 [In the case of outsourced development of the cloud service (or individual system components), specifications regarding the following aspects are contractually agreed between the Cloud Service Provider and the outsourced development contractor: Acceptance testing of the quality of the services provided in accordance with the agreed functional and non-functional requirements; and DEV-02 ¶ 1 Bullet 2] | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Disseminate and communicate the system testing procedures to interested personnel and affected parties. CC ID 15471 | Systems design, build, and implementation | Communicate | |
| Initiate the System Development Life Cycle implementation phase. CC ID 06268 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Plan and document the Certification and Accreditation process. CC ID 11767 [The Information Security Management System (ISMS) has a valid certification according to ISO/ IEC 27001 or ISO 27001 based on IT-Grundschutz. OIS-01 ¶ 3 To the extent applicable for the certification or attestation, the following information are provided: issuing organisation; and BC-06 ¶ 2 Bullet 2 To the extent applicable for the certification or attestation, the following information are provided: date of issuance; BC-06 ¶ 2 Bullet 1] | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Submit the information system's security authorization package to the appropriate stakeholders, as necessary. CC ID 13987 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Establish and maintain end user support communications. CC ID 06615 | Systems design, build, and implementation | Business Processes | |
| Establish, implement, and maintain a vulnerability disclosure policy. CC ID 14934 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Establish, implement, and maintain vulnerability disclosure procedures. CC ID 16489 [{vulnerabilities} {assets} The online register is easily accessible to any cloud customer. The information contained therein forms a suitable basis for risk assessment and possible follow-up measures on the part of cloud users. PSS-03 ¶ 3] | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Plan for acquiring facilities, technology, or services. CC ID 06892 | Acquisition or sale of facilities, technology, and services | Acquisition/Sale of Assets or Services | |
| Perform a due diligence assessment on bidding suppliers prior to acquiring assets. CC ID 15714 | Acquisition or sale of facilities, technology, and services | Acquisition/Sale of Assets or Services | |
| Require third parties to disclose all known vulnerabilities in third party products and services. CC ID 15491 [Interfaces and dependencies between cloud service delivery activities performed by the Cloud Service Provider and activities performed by third parties are documented and communicated. This includes dealing with the following events: Vulnerabilities; OIS-03 ¶ 1 Bullet 1 In the case of outsourced development of the cloud service (or individual system components), specifications regarding the following aspects are contractually agreed between the Cloud Service Provider and the outsourced development contractor: Providing evidence that sufficient verifications have been carried out to rule out the existence of known vulnerabilities. DEV-02 ¶ 1 Bullet 3 Policies and instructions for controlling and monitoring third parties (e.g. service providers or suppliers) whose services contribute to the provision of the cloud service are documented, communicated and provided in accordance with SP-01 with respect to the following aspects: Requirements for dealing with vulnerabilities, security incidents and malfunctions; SSO-01 ¶ 1 Bullet 6 The procedures for identifying such vulnerabilities are part of the software development process and, depending on a risk assessment, include the following activities: Obtaining information about confirmed vulnerabilities in software libraries provided by third parties and used in their own cloud service. PSS-02 ¶ 2 Bullet 4] | Acquisition or sale of facilities, technology, and services | Communicate | |
| Establish, implement, and maintain acquisition approval requirements. CC ID 13704 [{acceptable use policy} Policies and instructions for acceptable use and safe handling of assets are documented, communicated and provided in accordance with SP-01 and address the following aspects of the asset lifecycle as applicable to the asset: Approval procedures for acquisition, commissioning, maintenance, decommissioning, and disposal by authorised personnel or system components; AM-02 ¶ 1 Bullet 1] | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
| Disseminate and communicate acquisition approval requirements to all affected parties. CC ID 13706 | Acquisition or sale of facilities, technology, and services | Communicate | |
| Establish and maintain a register of approved third parties, technologies and tools. CC ID 06836 [The Cloud Service Provider has an approval process for the use of hardware to be commissioned, which is used to provide the cloud service in the production environment, in which the risks arising from the commissioning are identified, analysed and mitigated. Approval is granted after verification of the secure configuration of the mechanisms for error handling, logging, encryption, authentication and authorisation according to the intended use and based on the applicable policies. AM-03 ¶ 1 In procurement, products are preferred which have been certified according to the "Common Criteria for Information Technology Security Evaluation" (short: Common Criteria – CC) according Evaluation Assurance Level EAL 4. If non-certified products are to be procured for available certified products, a risk assessment is carried out in accordance with OIS-07. DEV-01 ¶ 3] | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
| Install software that originates from approved third parties. CC ID 12184 | Acquisition or sale of facilities, technology, and services | Technical Security | |
| Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain a personal data transparency program. CC ID 00375 | Privacy protection for information and data | Data and Information Management | |
| Establish, implement, and maintain opt-out notices. CC ID 13448 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the data subject's right to opt out of personal data disclosure in the opt-out notice. CC ID 13463 [In the system description, the Cloud Service Provider provides comprehensible and transparent information on how investigation enquiries by government agencies for access to or disclosure of cloud customer data are handled. The information includes the following aspects: the ability of the affected cloud customers to object; and BC-05 ¶ 1 Bullet 3] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. CC ID 00393 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Provide the data subject with references to the appropriate safeguards used to protect the privacy of personal data. CC ID 12585 [In the system description, the Cloud Service Provider provides comprehensible and transparent information on how investigation enquiries by government agencies for access to or disclosure of cloud customer data are handled. The information includes the following aspects: whether the Cloud Service Provider has the ability to decrypt encrypted data of the cloud customers in case of such requests and how this ability for access or disclosure is used. BC-05 ¶ 1 Bullet 4] | Privacy protection for information and data | Process or Activity | |
| Provide the data subject with copies of the appropriate safeguards used to protect the privacy of personal data. CC ID 12608 | Privacy protection for information and data | Process or Activity | |
| Provide the data subject with the means of gaining access to personal data held by the organization. CC ID 00396 [The cloud customer is informed by the Cloud Service Provider whenever internal or external employees of the Cloud Service Provider read or write to the cloud customer's data processed, stored or transmitted in the cloud service or have accessed it without the prior consent of the cloud customer. The Information is provided whenever data of the cloud customer is/was not encrypted, the encryption is/was disabled for access or the contractual agreements do not explicitly exclude such information. The information contains the cause, time, duration, type and scope of the access. The information is sufficiently detailed to enable subject matter experts of the cloud customer to assess the risks of the access. The information is provided in accordance with the contractual agreements, or within 72 hours after the access. IDM-07 ¶ 1] | Privacy protection for information and data | Data and Information Management | |
| Refrain from requiring the data subject to create an account in order to submit a consumer request. CC ID 13780 | Privacy protection for information and data | Business Processes | |
| Provide the data subject with the data protection officer's contact information. CC ID 12573 | Privacy protection for information and data | Business Processes | |
| Notify the data subject of the right to data portability. CC ID 12603 | Privacy protection for information and data | Process or Activity | |
| Provide the data subject with information about the right to erasure. CC ID 12602 | Privacy protection for information and data | Process or Activity | |
| Provide the data subject with a description of the type of information held by the organization and a general account of its use. CC ID 00397 [Access to the data processed, stored or transmitted in the cloud service by internal or external employees of the Cloud Service Provider requires the prior consent of an authorised department of the cloud customer, provided that the cloud customer's data is not encrypted, encryption is disabled for access, or contractual agreements do not explicitly exclude such consent. For the consent, the cloud customer's department is provided with meaningful information about the cause, time, duration, type and scope of the access supporting assessing the risks associated with the access. IDM-07 ¶ 2] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain a personal data accountability program. CC ID 13432 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Require data controllers to be accountable for their actions. CC ID 00470 | Privacy protection for information and data | Establish Roles | |
| Notify the supervisory authority. CC ID 00472 | Privacy protection for information and data | Behavior | |
| Provide the supervisory authority with any information requested by the supervisory authority. CC ID 12606 [{be appropriate} Ensure appropriate handling of government investigation requests for legal review, information to cloud customers, and limitation of access to or disclosure of data. Section 5.16 Objective Access to or disclosure of cloud customer data in connection with government investigation requests is subject to the proviso that the Cloud Service Provider's legal assessment has shown that an applicable and valid legal basis exists and that the investigation request must be granted on that basis. INQ-03 ¶ 1] | Privacy protection for information and data | Process or Activity | |
| Notify the supervisory authority of the safeguards employed to protect the data subject's rights. CC ID 12605 [Investigation requests from government agencies are subjected to a legal assessment by subject matter experts of the Cloud Service Provider. The assessment determines whether the government agency has an applicable and legally valid legal basis and what further steps need to be taken. INQ-01 ¶ 1] | Privacy protection for information and data | Communicate | |
| Establish, implement, and maintain a personal data use limitation program. CC ID 13428 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain a personal data use purpose specification. CC ID 00093 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Dispose of media and restricted data in a timely manner. CC ID 00125 [Policies and instructions for the secure handling of metadata (usage data) are documented, communicated and provided according to SP-01 with regard to the following aspects: Immediate deletion if the purposes of the collection are fulfilled and further storage is no longer necessary; and OPS-11 ¶ 1 Bullet 5] | Privacy protection for information and data | Data and Information Management | |
| Refrain from destroying records being inspected or reviewed. CC ID 13015 | Privacy protection for information and data | Records Management | |
| Notify the data subject after their personal data is disposed, as necessary. CC ID 13502 | Privacy protection for information and data | Communicate | |
| Establish, implement, and maintain data access procedures. CC ID 00414 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Provide individuals with information about disclosure of their personal data. CC ID 00417 [In the system description, the Cloud Service Provider provides comprehensible and transparent information on how investigation enquiries by government agencies for access to or disclosure of cloud customer data are handled. The information includes the following aspects: BC-05 ¶ 1] | Privacy protection for information and data | Data and Information Management | |
| Allow guardians and legal representatives access to personal data about the individual for whom they are guardians or legal representatives. CC ID 00418 | Privacy protection for information and data | Data and Information Management | |
| Notify third parties of data access requests that relates to the third party. CC ID 08703 [In the system description, the Cloud Service Provider provides comprehensible and transparent information on how investigation enquiries by government agencies for access to or disclosure of cloud customer data are handled. The information includes the following aspects: Procedures for informing and involving the affected cloud customers upon receipt of such enquiries; BC-05 ¶ 1 Bullet 2] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Allow affected third parties to consent or object to a data access request. CC ID 08704 | Privacy protection for information and data | Process or Activity | |
| Establish, implement, and maintain restricted data use limitation procedures. CC ID 00128 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Process restricted data lawfully and carefully. CC ID 00086 | Privacy protection for information and data | Establish Roles | |
| Implement technical controls that limit processing restricted data for specific purposes. CC ID 12646 [Policies and instructions for the secure handling of metadata (usage data) are documented, communicated and provided according to SP-01 with regard to the following aspects: Metadata is collected and used solely for billing, incident management and security incident management purposes; OPS-11 ¶ 1 Bullet 1 {refrain from using} Policies and instructions for the secure handling of metadata (usage data) are documented, communicated and provided according to SP-01 with regard to the following aspects: No commercial use; OPS-11 ¶ 1 Bullet 3] | Privacy protection for information and data | Technical Security | |
| Process personal data after the data subject has granted explicit consent. CC ID 00180 [Access to the data processed, stored or transmitted in the cloud service by internal or external employees of the Cloud Service Provider requires the prior consent of an authorised department of the cloud customer, provided that the cloud customer's data is not encrypted, encryption is disabled for access, or contractual agreements do not explicitly exclude such consent. For the consent, the cloud customer's department is provided with meaningful information about the cause, time, duration, type and scope of the access supporting assessing the risks associated with the access. IDM-07 ¶ 2] | Privacy protection for information and data | Data and Information Management | |
| Establish, implement, and maintain restricted data retention procedures. CC ID 00167 [Policies and instructions for the secure handling of metadata (usage data) are documented, communicated and provided according to SP-01 with regard to the following aspects: Storage for a fixed period reasonably related to the purposes of the collection; OPS-11 ¶ 1 Bullet 4] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Limit the redisclosure and reuse of restricted data. CC ID 00168 [The Cloud Service Provider's procedures establishing access to or disclosing data of cloud customers in the context of investigation requests from governmental agencies ensure that the agencies only gain access to or insight into the data that is the subject of the investigation request. INQ-04 ¶ 1] | Privacy protection for information and data | Data and Information Management | |
| Refrain from redisclosing or reusing restricted data. CC ID 00169 | Privacy protection for information and data | Data and Information Management | |
| Document the redisclosing restricted data exceptions. CC ID 00170 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Redisclose restricted data when the data subject consents. CC ID 00171 | Privacy protection for information and data | Data and Information Management | |
| Redisclose restricted data when it is for criminal law enforcement. CC ID 00172 | Privacy protection for information and data | Data and Information Management | |
| Redisclose restricted data in order to protect public revenue. CC ID 00173 | Privacy protection for information and data | Data and Information Management | |
| Redisclose restricted data in order to assist a Telecommunications Ombudsman. CC ID 00174 | Privacy protection for information and data | Data and Information Management | |
| Redisclose restricted data in order to prevent a life-threatening emergency. CC ID 00175 | Privacy protection for information and data | Data and Information Management | |
| Redisclose restricted data when it deals with installing, maintaining, operating, or providing access to a Public Telecommunications Network or a telecommunication facility. CC ID 00176 | Privacy protection for information and data | Data and Information Management | |
| Redisclose restricted data in order to preserve human life at sea. CC ID 00177 | Privacy protection for information and data | Data and Information Management | |
| Establish, implement, and maintain data disclosure procedures. CC ID 00133 [The type and scope of the information provided will be based on the needs of subject matter experts of the cloud customers who set information security requirements, implement them or verify the implementation (e.g. IT, Compliance, Internal Audit). The information in the guidelines and recommendations for the secure use of the cloud service address the following aspects, where applicable to the cloud service: PSS-01 ¶ 2] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Disseminate and communicate the disclosure requirements to interested personnel and affected parties. CC ID 16901 | Privacy protection for information and data | Communicate | |
| Identify any adverse effects the disclosure of personal data will have on the data subject. CC ID 15298 | Privacy protection for information and data | Data and Information Management | |
| Review personal data disclosure requests. CC ID 07129 | Privacy protection for information and data | Data and Information Management | |
| Notify the data subject of the disclosure purpose. CC ID 15268 | Privacy protection for information and data | Communicate | |
| Establish, implement, and maintain data request denial procedures. CC ID 00434 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include frivolous requests or vexatious requests as a reason for denial in the personal data request denial procedures. CC ID 00435 | Privacy protection for information and data | Data and Information Management | |
| Include when the required information is unavailable as a reason for denial in the personal data request denial procedures. CC ID 00436 | Privacy protection for information and data | Data and Information Management | |
| Include when the disclosure of personal data constitutes contempt of court or contempt of House of Representatives as a reason for denial in the personal data request denial procedures. CC ID 00437 | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would identify suppliers or breaches an express promise of privacy or implied promise of privacy as a reason for denial in the personal data request denial procedures. CC ID 00438 | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would compromise National Security as a reason for denial in the personal data request denial procedures. CC ID 00439 | Privacy protection for information and data | Data and Information Management | |
| Include information that is protected by attorney-client privilege as a reason for denial in the personal data request denial procedures. CC ID 00440 | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would reveal trade secrets, commercial information, or harmful financial information as a reason for denial in the personal data request denial procedures. CC ID 00441 | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would threaten an individual's life or an individual's security as a reason for denial in the personal data request denial procedures. CC ID 00442 | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would have an unreasonable impact on another individual's privacy as a reason for denial in the personal data request denial procedures. CC ID 00443 | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would threaten facilities, property, transport, or communication systems as a reason for denial in the personal data request denial procedures. CC ID 08702 | Privacy protection for information and data | Process or Activity | |
| Include responding to access requests after the time limit as a reason for denial in the personal data request denial procedures. CC ID 13600 | Privacy protection for information and data | Data and Information Management | |
| Include information that was generated from a formal dispute as a reason for denial in the personal data request denial procedures. CC ID 00444 | Privacy protection for information and data | Data and Information Management | |
| Include personal data that is used solely for scientific research, scholarly research, statistical research, library purposes, museum purposes, or archival purposes as a reason for denial in the personal data request denial procedures. CC ID 00445 | Privacy protection for information and data | Data and Information Management | |
| Include personal data that is for protecting the civil rights or other's freedoms as a reason for denial in the personal data request denial procedures. CC ID 00447 | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that constitutes a state secret as a reason for denial in the personal data request denial procedures. CC ID 00448 | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would result in interference with the operation of public functions as a reason for denial in the personal data request denial procedures. CC ID 00449 | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would interrupt criminal investigation and surveillance or other legal purposes as a reason for denial in the personal data request denial procedures. CC ID 00450 | Privacy protection for information and data | Data and Information Management | |
| Include when a country's laws prevent disclosure as a reason for denial in the personal data request denial procedures. CC ID 00451 | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would interfere with grievance proceeding or employee security investigations as a reason for denial in the personal data request denial procedures. CC ID 06873 | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would interfere with commercial acquisitions or reorganizations as a reason for denial in the personal data request denial procedures. CC ID 06874 | Privacy protection for information and data | Data and Information Management | |
| Include if the cost or burden of disclosing the personal data is disproportionate as a reason for denial in the personal data request denial procedures. CC ID 06875 | Privacy protection for information and data | Data and Information Management | |
| Notify interested personnel and affected parties of the reasons the data access request was refused. CC ID 00453 | Privacy protection for information and data | Data and Information Management | |
| Notify the individual of the organization's legal rights to refuse the personal data access request, as necessary. CC ID 13509 [In the system description, the Cloud Service Provider provides comprehensible and transparent information on how investigation enquiries by government agencies for access to or disclosure of cloud customer data are handled. The information includes the following aspects: Procedures to verify the legal basis of such enquiries; BC-05 ¶ 1 Bullet 1] | Privacy protection for information and data | Communicate | |
| Notify individuals of their right to challenge a refusal to a data access request. CC ID 00454 | Privacy protection for information and data | Data and Information Management | |
| Include if the record would constitute an action for breach of a duty of confidence as a reason for denial in the personal data request denial procedures. CC ID 08700 | Privacy protection for information and data | Process or Activity | |
| Disseminate and communicate personal data to the individual that it relates to. CC ID 00428 [The cloud customer is informed by the Cloud Service Provider whenever internal or external employees of the Cloud Service Provider read or write to the cloud customer's data processed, stored or transmitted in the cloud service or have accessed it without the prior consent of the cloud customer. The Information is provided whenever data of the cloud customer is/was not encrypted, the encryption is/was disabled for access or the contractual agreements do not explicitly exclude such information. The information contains the cause, time, duration, type and scope of the access. The information is sufficiently detailed to enable subject matter experts of the cloud customer to assess the risks of the access. The information is provided in accordance with the contractual agreements, or within 72 hours after the access. IDM-07 ¶ 1] | Privacy protection for information and data | Data and Information Management | |
| Provide personal data to an individual after the individual's identity has been confirmed. CC ID 06876 | Privacy protection for information and data | Data and Information Management | |
| Notify that data subject of any exclusions to requested personal data. CC ID 15271 | Privacy protection for information and data | Communicate | |
| Provide data or records in a reasonable time frame. CC ID 00429 | Privacy protection for information and data | Data and Information Management | |
| Notify individuals of the new time limit for responding to an access request in a notice of extension. CC ID 13599 | Privacy protection for information and data | Communicate | |
| Extend the time limit for providing personal data in order to convert it to an alternative format. CC ID 13591 | Privacy protection for information and data | Data and Information Management | |
| Extend the time limit for providing personal data if the time is impracticable to respond to the access request. CC ID 13590 | Privacy protection for information and data | Data and Information Management | |
| Extend the time limit for providing data if it would unreasonably interfere with the organization's activities. CC ID 13589 | Privacy protection for information and data | Data and Information Management | |
| Provide data at a cost that is not excessive. CC ID 00430 | Privacy protection for information and data | Data and Information Management | |
| Provide records or data in a reasonable manner. CC ID 00431 | Privacy protection for information and data | Data and Information Management | |
| Provide personal data in a form that is intelligible. CC ID 00432 | Privacy protection for information and data | Data and Information Management | |
| Provide restricted data that would threaten the life or security of another individual after that information has been redacted. CC ID 13604 | Privacy protection for information and data | Data and Information Management | |
| Provide restricted data that would reveal confidential commercial information after that information has been redacted. CC ID 13602 | Privacy protection for information and data | Data and Information Management | |
| Remove data pertaining to third parties before giving the requestor access to the information. CC ID 13601 | Privacy protection for information and data | Data and Information Management | |
| Document that a data search was conducted in case the requested data cannot be found. CC ID 06953 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain a data handling program. CC ID 13427 [Policies and instructions for the secure handling of metadata (usage data) are documented, communicated and provided according to SP-01 with regard to the following aspects: OPS-11 ¶ 1] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain data handling policies. CC ID 00353 [{be appropriate} Ensure appropriate handling of government investigation requests for legal review, information to cloud customers, and limitation of access to or disclosure of data. Section 5.16 Objective] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain data and information confidentiality policies. CC ID 00361 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Prohibit personal data from being sent by e-mail or instant messaging. CC ID 00565 | Privacy protection for information and data | Data and Information Management | |
| Protect electronic messaging information. CC ID 12022 | Privacy protection for information and data | Technical Security | |
| Establish, implement, and maintain record structures to support information confidentiality. CC ID 00360 [{be appropriate} Ensure appropriate handling of government investigation requests for legal review, information to cloud customers, and limitation of access to or disclosure of data. Section 5.16 Objective If the Cloud Service offers functions for software-defined networking (SDN), the confidentiality of the data of the cloud user is ensured by suitable SDN procedures. PSS-10 ¶ 1] | Privacy protection for information and data | Data and Information Management | |
| Include passwords, Personal Identification Numbers, and card security codes in the personal data definition. CC ID 04699 | Privacy protection for information and data | Configuration | |
| Store payment card data in secure chips, if possible. CC ID 13065 | Privacy protection for information and data | Configuration | |
| Refrain from storing data elements containing sensitive authentication data after authorization is approved. CC ID 04758 | Privacy protection for information and data | Configuration | |
| Render unrecoverable sensitive authentication data after authorization is approved. CC ID 11952 | Privacy protection for information and data | Technical Security | |
| Automate the disposition process for records that contain "do not store" data or "delete after transaction process" data. CC ID 06083 | Privacy protection for information and data | Data and Information Management | |
| Log the disclosure of personal data. CC ID 06628 | Privacy protection for information and data | Log Management | |
| Log the modification of personal data. CC ID 11844 | Privacy protection for information and data | Log Management | |
| Encrypt, truncate, or tokenize data fields, as necessary. CC ID 06850 | Privacy protection for information and data | Technical Security | |
| Implement security measures to protect personal data. CC ID 13606 | Privacy protection for information and data | Technical Security | |
| Implement physical controls to protect personal data. CC ID 00355 | Privacy protection for information and data | Testing | |
| Limit data leakage. CC ID 00356 | Privacy protection for information and data | Data and Information Management | |
| Identify potential red flags to alert the organization before a data leakage has occurred. CC ID 04654 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
| Establish, implement, and maintain Consumer Reporting Agency notification procedures. CC ID 04851 | Privacy protection for information and data | Business Processes | |
| Acquire enough insurance to cover the liability for damages due to data leakage. CC ID 06408 | Privacy protection for information and data | Acquisition/Sale of Assets or Services | |
| Alert appropriate personnel when data leakage is detected. CC ID 14715 | Privacy protection for information and data | Process or Activity | |
| Include text about data ownership in the data handling policy. CC ID 15720 | Privacy protection for information and data | Data and Information Management | |
| Establish, implement, and maintain a telephone systems usage policy. CC ID 15170 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain call metadata controls. CC ID 04790 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain de-identifying and re-identifying procedures. CC ID 07126 [{not be possible} If no clear limitation of the data is possible, the Cloud Service Provider anonymises or pseudonymises the data so that government agencies can only assign it to those cloud customers who are subject of the investigation request. INQ-04 ¶ 2] | Privacy protection for information and data | Data and Information Management | |
| Use de-identifying code and re-identifying code that is not derived from or related to information about the data subject. CC ID 07127 | Privacy protection for information and data | Data and Information Management | |
| Store de-identifying code and re-identifying code separately. CC ID 16535 | Privacy protection for information and data | Data and Information Management | |
| Prevent the disclosure of de-identifying code and re-identifying code. CC ID 07128 | Privacy protection for information and data | Data and Information Management | |
| Disseminate and communicate the data handling policy to all interested personnel and affected parties. CC ID 15465 | Privacy protection for information and data | Communicate | |
| Establish, implement, and maintain data handling procedures. CC ID 11756 [The requirements for the logging and monitoring of events and for the secure handling of metadata are implemented by technically supported procedures with regard to the following restrictions: OPS-12 ¶ 1] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define personal data that falls under breach notification rules. CC ID 00800 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include data elements that contain an individual's name combined with account numbers or other identifying information as personal data that falls under the breach notification rules. CC ID 04662 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's legal surname prior to marriage as personal data that falls under the breach notification rules. CC ID 04669 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's date of birth as personal data that falls under the breach notification rules. CC ID 04771 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's address as personal data that falls under the breach notification rules. CC ID 04671 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's telephone number as personal data that falls under the breach notification rules. CC ID 04672 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's fingerprints as personal data that falls under the breach notification rules. CC ID 04670 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's Social Security Number or Personal Identification Number as personal data that falls under the breach notification rules. CC ID 04656 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's driver's license number or an individual's state identification card number as personal data that falls under the breach notification rules. CC ID 04657 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's passport number as personal data that falls under the breach notification rules. CC ID 04774 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's Alien Registration Number as personal data that falls under the breach notification rules. CC ID 04775 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's Taxpayer Identification Number as personal data that falls under the breach notification rules. CC ID 04764 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's financial account number as personal data that falls under the breach notification rules. CC ID 04658 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's financial account number with associated password or password hint as personal data that falls under the breach notification rules. CC ID 04660 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's electronic identification name or number as personal data that falls under the breach notification rules. CC ID 04663 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain electronic signatures as personal data that falls under the breach notification rules. CC ID 04666 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's biometric data as personal data that falls under the breach notification rules. CC ID 04667 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's account number, password, or password hint as personal data that falls under the breach notification rules. CC ID 04668 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's payment card information as personal data that falls under the breach notification rules. CC ID 04752 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's credit card number or an individual's debit card number as personal data that falls under the breach notification rules. CC ID 04659 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's payment card service code as personal data that falls under the breach notification rules. CC ID 04754 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's payment card expiration date as personal data that falls under the breach notification rules. CC ID 04756 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's payment card full magnetic stripe data as personal data that falls under the breach notification rules. CC ID 04759 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's payment card security codes (Card Authentication Value 2/Card Validation Code Value 2/Card Verification Value 2/Card Identification Number) as personal data that falls under the breach notification rules. CC ID 04760 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's payment card associated password or password hint as personal data that falls under the breach notification rules. CC ID 04661 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's Individually Identifiable Health Information as personal data that falls under the breach notification rules. CC ID 04673 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's medical history as personal data that falls under the breach notification rules. CC ID 04674 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's medical treatment as personal data that falls under the breach notification rules. CC ID 04675 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's medical diagnosis as personal data that falls under the breach notification rules. CC ID 04676 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's mental condition or physical condition as personal data that falls under the breach notification rules. CC ID 04682 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's health insurance information as personal data that falls under the breach notification rules. CC ID 04681 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's health insurance policy number as personal data that falls under the breach notification rules. CC ID 04683 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's health insurance application and health insurance claims history (including appeals) as personal data that falls under the breach notification rules. CC ID 04684 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's employment information as personal data that falls under the breach notification rules. CC ID 04772 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's Employee Identification Number as personal data that falls under the breach notification rules. CC ID 04773 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's place of employment as personal data that falls under the breach notification rules. CC ID 04788 | Privacy protection for information and data | Data and Information Management | |
| Define an out of scope privacy breach. CC ID 04677 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include personal data that is publicly available information as an out of scope privacy breach. CC ID 04678 | Privacy protection for information and data | Business Processes | |
| Include personal data that is encrypted or redacted as an out of scope privacy breach. CC ID 04679 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
| Include cryptographic keys not being accessed during a privacy breach as an out of scope privacy breach. CC ID 04761 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
| Include any personal data that is on an encrypted mobile device as an out of scope privacy breach, if the encryption keys were not accessed and the mobile device was recovered. CC ID 04762 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
| Disseminate and communicate the data handling procedures to all interested personnel and affected parties. CC ID 15466 [Policies and instructions for the secure handling of metadata (usage data) are documented, communicated and provided according to SP-01 with regard to the following aspects: Exclusively anonymous metadata to deploy and enhance the cloud service so that no conclusions can be drawn about the cloud customer or user; OPS-11 ¶ 1 Bullet 2] | Privacy protection for information and data | Communicate | |
| Develop remedies and sanctions for privacy policy violations. CC ID 00474 | Privacy protection for information and data | Data and Information Management | |
| Include the allegations against the organization in the notice of investigation. CC ID 13031 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain a Customer Information Management program. CC ID 00084 | Privacy protection for information and data | Data and Information Management | |
| Establish, implement, and maintain customer data authentication procedures. CC ID 13187 [The Cloud Service Provider has established procedures and technical measures for strong encryption and authentication for the transmission of all data. CRY-02 ¶ 2 The Cloud Service Provider has established procedures and technical measures for strong encryption and authentication for the transmission of data of cloud customers over public networks. CRY-02 ¶ 1] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Check the accuracy of restricted data. CC ID 00088 | Privacy protection for information and data | Data and Information Management | |
| Check the data accuracy of new accounts. CC ID 04859 | Privacy protection for information and data | Data and Information Management | |
| Use documents for identification that do not appear altered or forged. CC ID 04860 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Compare the information on the customer's identification card or badge with the information used to open an account. CC ID 04862 | Privacy protection for information and data | Data and Information Management | |
| Refrain from using applications that appear altered, reassembled, or forged. CC ID 04863 | Privacy protection for information and data | Data and Information Management | |
| Correlate the applicant's social security number with their date of birth. CC ID 04864 | Privacy protection for information and data | Data and Information Management | |
| Compare the applicant's social security number against existing accounts or different applications. CC ID 04867 | Privacy protection for information and data | Data and Information Management | |
| Compare the applicant's personal data against known fraudulent activities. CC ID 04865 | Privacy protection for information and data | Data and Information Management | |
| Compare the applicant's address against known suspicious addresses. CC ID 04866 | Privacy protection for information and data | Data and Information Management | |
| Compare the applicant's telephone number or address against records on file for potential matches. CC ID 04868 | Privacy protection for information and data | Data and Information Management | |
| Provide additional personal data when the application is incomplete. CC ID 04869 | Privacy protection for information and data | Data and Information Management | |
| Interview appropriate parties to validate consumer information. CC ID 16902 | Privacy protection for information and data | Process or Activity | |
| Validate a consumer's identity in accordance with applicable requirements. CC ID 16899 | Privacy protection for information and data | Business Processes | |
| Use contact methods specified by the consumer for identity verification. CC ID 16878 | Privacy protection for information and data | Process or Activity | |
| Establish, implement, and maintain organizational documents. CC ID 16202 | Harmonization Methods and Manual of Style | Establish/Maintain Documentation | |
| Include version control on organizational documents. CC ID 16268 [{information security policy} The policies and instructions are version controlled and approved by the top management of the Cloud Service Provider or an authorised body. SP-01 ¶ 2] | Harmonization Methods and Manual of Style | Establish/Maintain Documentation | |
| Establish, implement, and maintain a supply chain management program. CC ID 11742 [Policies and instructions for controlling and monitoring third parties (e.g. service providers or suppliers) whose services contribute to the provision of the cloud service are documented, communicated and provided in accordance with SP-01 with respect to the following aspects: SSO-01 ¶ 1] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Establish, implement, and maintain an exit plan. CC ID 15492 [The Cloud Service Provider has defined and documented exit strategies for the purchase of services where the risk assessment of the service providers and suppliers regarding the scope, complexity and uniqueness of the purchased service resulted in a very high dependency (cf. Supplementary Information). SSO-05 ¶ 1] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include roles and responsibilities in the exit plan. CC ID 15497 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Test the exit plan, as necessary. CC ID 15495 | Third Party and supply chain oversight | Testing | |
| Include contingency plans in the third party management plan. CC ID 10030 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Refrain from placing excessive reliance on third parties that provide support for service continuity. CC ID 12768 [Exit strategies are aligned with operational continuity plans and include the following aspects: SSO-05 ¶ 2] | Third Party and supply chain oversight | Systems Continuity | |
| Write contractual agreements in clear and conspicuous language. CC ID 16923 | Third Party and supply chain oversight | Acquisition/Sale of Assets or Services | |
| Establish, implement, and maintain software exchange agreements with all third parties. CC ID 11615 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Establish, implement, and maintain rules of engagement with third parties. CC ID 13994 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the purpose in the information flow agreement. CC ID 17016 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the type of information being transmitted in the information flow agreement. CC ID 14245 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the costs in the information flow agreement. CC ID 17018 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the security requirements in the information flow agreement. CC ID 14244 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the interface characteristics in the information flow agreement. CC ID 14240 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include text about participation in the organization's testing programs in third party contracts. CC ID 14402 [{change} The type and scope of the tests correspond to the risk assessment. The tests are carried out by appropriately qualified personnel of the Cloud Service Provider or by automated test procedures that comply with the state-of-the-art. Cloud customers are involved into the tests in accordance with the contractual requirements. DEV-06 ¶ 2] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the contract duration in third party contracts. CC ID 16221 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include cryptographic keys in third party contracts. CC ID 16179 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include bankruptcy provisions in third party contracts. CC ID 16519 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include cybersecurity supply chain risk management requirements in third party contracts. CC ID 15646 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include requirements to cooperate with competent authorities in third party contracts. CC ID 17186 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include text that organizations must meet organizational compliance requirements in third party contracts. CC ID 06506 [Policies and instructions for controlling and monitoring third parties (e.g. service providers or suppliers) whose services contribute to the provision of the cloud service are documented, communicated and provided in accordance with SP-01 with respect to the following aspects: applicable legal and regulatory requirements; SSO-01 ¶ 1 Bullet 5] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include compliance with the organization's monitoring policies as a requirement in third party contracts. CC ID 06513 [Monitoring includes a regular review of the following evidence to the extent that such evidence is to be provided by third parties in accordance with the contractual agreements: Records of the third parties on the handling of vulnerabilities, security incidents and malfunctions. SSO-04 ¶ 2 Bullet 4] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include compliance with the organization's data usage policies in third party contracts. CC ID 16413 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a reporting structure in third party contracts. CC ID 06532 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include financial reporting in third party contracts, as necessary. CC ID 13573 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include reporting to the organization of third party audit findings in third party contracts. CC ID 06512 [Monitoring includes a regular review of the following evidence to the extent that such evidence is to be provided by third parties in accordance with the contractual agreements: independent third-party reports on the suitability and operating effectiveness of their service-related internal control systems; and SSO-04 ¶ 2 Bullet 3] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include on-site visits in third party contracts. CC ID 17306 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include training requirements in third party contracts. CC ID 16367 | Third Party and supply chain oversight | Acquisition/Sale of Assets or Services | |
| Include text that subcontractors must meet organizational compliance requirements in third party contracts. CC ID 06522 [Policies and instructions for controlling and monitoring third parties (e.g. service providers or suppliers) whose services contribute to the provision of the cloud service are documented, communicated and provided in accordance with SP-01 with respect to the following aspects: Specifications for applying these requirements also to service providers used by the third parties, insofar as the services provided by these service providers also contribute to the provision of the cloud service. SSO-01 ¶ 1 Bullet 9] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include change control notification processes in third party contracts. CC ID 06524 [In accordance with the contractual agreements, meaningful information about the occasion, time, duration, type and scope of the change is submitted to authorised bodies of the cloud customer so that they can carry out their own risk assessment before the change is made available in the production environment. Regardless of the contractual agreements, this is done for changes that have the highest risk category based on their risk assessment. DEV-05 ¶ 2] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include location requirements in third party contracts. CC ID 16915 [The cloud customer is able to specify the locations (location/country) of the data processing and storage including data backups according to the contractually available options. PSS-12 ¶ 1] | Third Party and supply chain oversight | Acquisition/Sale of Assets or Services | |
| Include the dispute resolution body's contact information in the terms and conditions in third party contracts. CC ID 13813 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include termination costs in third party contracts. CC ID 10023 [Exit strategies are aligned with operational continuity plans and include the following aspects: Analysis of the potential costs, impacts, resources and timing of the transition of a purchased service to an alternative service provider or supplier; SSO-05 ¶ 2 Bullet 1] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include incident management procedures and incident reporting procedures in third party contracts. CC ID 01214 [In contractual agreements (e.g. service description), the Cloud Service Provider provides comprehensible, binding and transparent information on: Categorisation and Prioritisation of incidents; BC-02 ¶ 1 Bullet 2 In contractual agreements (e.g. service description), the Cloud Service Provider provides comprehensible, binding and transparent information on: Response times for disruptions of regular operation according to the categorisation (time elapsed between the reporting and the resolution of the disruption by the Cloud Service Provider); BC-02 ¶ 1 Bullet 3 Policies and instructions for controlling and monitoring third parties (e.g. service providers or suppliers) whose services contribute to the provision of the cloud service are documented, communicated and provided in accordance with SP-01 with respect to the following aspects: Requirements for dealing with vulnerabilities, security incidents and malfunctions; SSO-01 ¶ 1 Bullet 6 Policies and instructions for controlling and monitoring third parties (e.g. service providers or suppliers) whose services contribute to the provision of the cloud service are documented, communicated and provided in accordance with SP-01 with respect to the following aspects: Requirements for dealing with vulnerabilities, security incidents and malfunctions; SSO-01 ¶ 1 Bullet 6] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a usage limitation of restricted data clause in third party contracts. CC ID 13026 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include end-of-life information in third party contracts. CC ID 15265 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Approve or deny third party recovery plans, as necessary. CC ID 17124 | Third Party and supply chain oversight | Systems Continuity | |
| Disseminate and communicate third party contracts to interested personnel and affected parties. CC ID 17301 | Third Party and supply chain oversight | Communicate | |
| Document the organization's supply chain in the supply chain management program. CC ID 09958 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Establish and maintain a Third Party Service Provider list. CC ID 12480 [{directory} {service provider} The information in the list is checked at least annually for completeness, accuracy and validity. SSO-03 ¶ 2 The Cloud Service Provider maintains a directory for controlling and monitoring the service providers and suppliers who contribute services to the delivery of the cloud service. The following information is maintained in the directory: SSO-03 ¶ 1] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include required information in the Third Party Service Provider list. CC ID 14429 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the organization's name in the Third Party Service Provider list. CC ID 17287 [The Cloud Service Provider maintains a directory for controlling and monitoring the service providers and suppliers who contribute services to the delivery of the cloud service. The following information is maintained in the directory: Company name; SSO-03 ¶ 1 Bullet 1] | Third Party and supply chain oversight | Data and Information Management | |
| Include disclosure requirements in the Third Party Service Provider list. CC ID 17189 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include storage locations in the Third Party Service Provider list. CC ID 17184 [The Cloud Service Provider maintains a directory for controlling and monitoring the service providers and suppliers who contribute services to the delivery of the cloud service. The following information is maintained in the directory: Locations of data processing and storage; SSO-03 ¶ 1 Bullet 3] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the processing location in the Third Party Service Provider list. CC ID 17183 [The Cloud Service Provider maintains a directory for controlling and monitoring the service providers and suppliers who contribute services to the delivery of the cloud service. The following information is maintained in the directory: Locations of data processing and storage; SSO-03 ¶ 1 Bullet 3] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the transferability of services in the Third Party Service Provider list. CC ID 17185 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include subcontractors in the Third Party Service Provider list. CC ID 14425 [In the system description and the contractual agreements (e.g. service description), the Cloud Service Provider clearly provides comprehensible and transparent information on: System component locations, including its subcontractors, where the cloud customer's data is processed, stored and backed up. BC-01 ¶ 1 Bullet 2] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include alternate service providers in the Third Party Service Provider list. CC ID 14420 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Disseminate and communicate the Third Party Service Provider list to interested personnel and affected parties. CC ID 14422 | Third Party and supply chain oversight | Communicate | |
| Include contact information of the Service Provider in the Third Party Service Provider list. CC ID 14430 [The Cloud Service Provider maintains a directory for controlling and monitoring the service providers and suppliers who contribute services to the delivery of the cloud service. The following information is maintained in the directory: Address; SSO-03 ¶ 1 Bullet 2 The Cloud Service Provider maintains a directory for controlling and monitoring the service providers and suppliers who contribute services to the delivery of the cloud service. The following information is maintained in the directory: Responsible contact person at the service provider/supplier; SSO-03 ¶ 1 Bullet 4 The Cloud Service Provider maintains a directory for controlling and monitoring the service providers and suppliers who contribute services to the delivery of the cloud service. The following information is maintained in the directory: Responsible contact person at the cloud service provider; SSO-03 ¶ 1 Bullet 5] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include all contract dates in the Third Party Service Provider list. CC ID 14421 [The Cloud Service Provider maintains a directory for controlling and monitoring the service providers and suppliers who contribute services to the delivery of the cloud service. The following information is maintained in the directory: Beginning of service usage; and SSO-03 ¶ 1 Bullet 8] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the services provided by each supplier in the Third Party Service Provider list. CC ID 12481 [The Cloud Service Provider maintains a directory for controlling and monitoring the service providers and suppliers who contribute services to the delivery of the cloud service. The following information is maintained in the directory: Description of the service; SSO-03 ¶ 1 Bullet 6] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include criticality of services in the Third Party Service Provider list. CC ID 14428 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a description of data used in the Third Party Service Provider list. CC ID 14427 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the location of services provided in the Third Party Service Provider list. CC ID 14423 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Establish and maintain supply chain manufacturing and integration requirements documents for all items being produced for the organization. CC ID 11558 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Categorize all suppliers in the supply chain management program. CC ID 00792 [Policies and instructions for controlling and monitoring third parties (e.g. service providers or suppliers) whose services contribute to the provision of the cloud service are documented, communicated and provided in accordance with SP-01 with respect to the following aspects: Requirements for the classification of third parties based on the risk assessment by the Cloud Service Provider and the determination of whether the third party is a subcontractor (cf. Supplementary Information); SSO-01 ¶ 1 Bullet 2 The Cloud Service Provider maintains a directory for controlling and monitoring the service providers and suppliers who contribute services to the delivery of the cloud service. The following information is maintained in the directory: Classification based on the risk assessment; SSO-03 ¶ 1 Bullet 7] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include risk management procedures in the supply chain management policy. CC ID 08811 [Policies and instructions for controlling and monitoring third parties (e.g. service providers or suppliers) whose services contribute to the provision of the cloud service are documented, communicated and provided in accordance with SP-01 with respect to the following aspects: Requirements for the assessment of risks resulting from the procurement of third-party services; SSO-01 ¶ 1 Bullet 1] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a determination on the impact of services provided by third-party service providers in the supply chain risk assessment report. CC ID 17187 [The risk assessment includes the identification, analysis, evaluation, handling and documentation of risks with regard to the following aspects: The Cloud Service Provider's dependence on the service provider or supplier for the scope, complexity and uniqueness of the service purchased, including the consideration of possible alternatives. SSO-02 ¶ 2 Bullet 3 The risk assessment includes the identification, analysis, evaluation, handling and documentation of risks with regard to the following aspects: The Cloud Service Provider's dependence on the service provider or supplier for the scope, complexity and uniqueness of the service purchased, including the consideration of possible alternatives. SSO-02 ¶ 2 Bullet 3] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Require third parties to employ a Chief Information Security Officer. CC ID 12057 | Third Party and supply chain oversight | Human Resources Management | |
| Include the third party selection process in the supply chain management policy. CC ID 13132 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include refraining from depending on any individual third party in the supply chain management policy. CC ID 13133 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include roles and responsibilities in the supply chain management policy. CC ID 15499 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Disseminate and communicate the supply chain management policy to all interested personnel and affected parties. CC ID 15493 | Third Party and supply chain oversight | Communicate | |
| Require individual attestations of compliance from each location a third party operates in. CC ID 12228 | Third Party and supply chain oversight | Business Processes | |
| Validate the third parties' compliance to organizationally mandated compliance requirements. CC ID 08819 [Monitoring includes a regular review of the following evidence to the extent that such evidence is to be provided by third parties in accordance with the contractual agreements: certificates of the management systems' compliance with international standards; SSO-04 ¶ 2 Bullet 2] | Third Party and supply chain oversight | Business Processes | |
| Establish, implement, and maintain third party reporting requirements. CC ID 13289 [Subservice organisations of the Cloud Service Provider are contractually obliged to provide regular reports by independent auditors on the suitability of the design and operating effectiveness of their service-related internal control system. SSO-01 ¶ 2] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Define timeliness factors for third party reporting requirements. CC ID 13304 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Establish, implement, and maintain outsourcing contracts. CC ID 13124 [If necessary, the Cloud Service Provider will outsource parts of its business processes for the provision of the cloud service to other service providers (use of subservice organisations). The Cloud Service Provider describes this in its description and the auditor takes this into consideration as specified in the audit standards ISAE 3402. The standard distinguishes for an attestation engagement between the "inclusive method" and the "carve-out method": Section 3.4.5 ¶ 1] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Establish, implement, and maintain contracts with asset disposition vendors, as necessary. CC ID 14826 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Establish, implement, and maintain contracts with Information Technology asset disposition vendors. CC ID 13895 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Specify asset ownership in outsourcing contracts. CC ID 13141 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include performance standards in outsourcing contracts. CC ID 13140 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include quality standards in outsourcing contracts. CC ID 17191 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the organization approving subcontractors in the outsourcing contract. CC ID 13131 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a provision that third parties are responsible for their subcontractors in the outsourcing contract. CC ID 13130 | Third Party and supply chain oversight | Establish/Maintain Documentation | |