+C5:2026
---+Asset Management (AM)
------+AM-01 Asset Management Framework
---------+AM-01.01B
---------+AM-01.01AC
---------+AM-01.02AC
------+AM-02 Asset Inventory
---------+AM-02.01B
---------+AM-02.02B
---------+AM-02.03B
---------+AM-02.04B
---------+AM-02.05B
------+AM-03 Hardware Asset Inventory
---------+AM-03.01B
------+AM-04 Software Asset Inventory
---------+AM-04.01B
---------+AM-04.01AC
------+AM-05 Policy for the Proper and Secure Use of Assets
---------+AM-05.01B
---------+AM-05.02B
------+AM-06 Commissioning of Hardware
---------+AM-06.01B
---------+AM-06.02B
------+AM-07 Decommissioning of Hardware
---------+AM-07.01B
---------+AM-07.02B
---------+AM-07.01AC
---------+AM-07.01AS
------+AM-08 Commitment to Proper Use, Safe and Secure Handling and Return of Assets
---------+AM-08.01B
---------+AM-08.02B
---------+AM-08.03B
------+AM-09 Asset Classification and Labelling
---------+AM-09.01B
---------+AM-09.02B
---------+AM-09.03B
---------+AM-09.04B
---------+AM-09.01AC
---------+AM-09.02AC
---------+AM-09.03AC
---------+AM-09.04AC
---------+AM-09 Supplementary Information - Complementary Customer Criteria
------+AM-10 Protection of Hardware on Hold
---------+AM-10.01B
---------+AM-10.01AS
------+AM-11 Transfer of Hardware
---------+AM-11.01B
---------+AM-11.02B
---------+AM-11.03B
------+AM-12 Removable Media and Endpoint Devices
---------+AM-12.01B
---------+AM-12.01AC
---+Business Continuity Management (BCM)
------+BCM-01 Business Continuity and Emergency Management System
---------+BCM-01.01B
---------+BCM-01.02B
---------+BCM-01.03B
---------+BCM-01.04B
------+BCM-02 Business Impact Analysis
---------+BCM-02.01B
---------+BCM-02.02B
---------+BCM-02 Supplementary Information - Complementary Customer Criteria
------+BCM-03 Business Continuity Plans
---------+BCM-03.01B
---------+BCM-03.02B
---------+BCM-03 Supplementary Information - Complementary Customer Criteria
------+BCM-04 Testing Business Continuity
---------+BCM-04.01B
---------+BCM-04.02B
---------+BCM-04.01AC
---------+BCM-04.02AC
---------+BCM-04.03AC
---------+BCM-04.04AC
---------+BCM-04 Supplementary Information - Complementary Customer Criteria
---+Compliance (COM)
------+COM-01 Identification of Applicable Legal, Regulatory, Self-imposed or Contractual Requirements
---------+COM-01.01B
---------+COM-01.01AC
------+COM-02 Policy for Planning and Conducting Audits
---------+COM-02.01B
---------+COM-02.02B
---------+COM-02.01AC
---------+COM-02.01AS
---------+COM-02 Supplementary Information - Complementary Customer Criteria
------+COM-03 Internal Audits of the Information Security Management System
---------+COM-03.01B
---------+COM-03.02B
---------+COM-03.03B
---------+COM-03.01AC
---------+COM-03.02AC
---------+COM-03.03AC
------+COM-04 Information on Information Security Performance and Management Assessment of the ISMS
---------+COM-04.01B
---------+COM-04.01AC
---------+COM-04.02AC
---+Communication Security (COS)
------+COS-01 Technical Safeguards
---------+COS-01.01B
---------+COS-01.02B
---------+COS-01.03B
---------+COS-01.01AC
---------+COS-01 Supplementary Information - Complementary Customer Criteria
------+COS-02 Security Requirements for Connections in the Cloud Service Provider's Network
---------+COS-02.01B
------+COS-03 Monitoring of Connections in the Cloud Service Provider's Network
---------+COS-03.01B
---------+COS-03.02B
---------+COS-03.03B
---------+COS-03.04B
---------+COS-03.05B
---------+COS-03 Supplementary Information - Complementary Customer Criteria
------+COS-04 Cross-Network Access
---------+COS-04.01B
---------+COS-04.02B
---------+COS-04.01AS
---------+COS-04 Supplementary Information - Complementary Customer Criteria
------+COS-05 Networks for Administration
---------+COS-05.01B
---------+COS-05.02B
---------+COS-05.01AC
------+COS-06 Separation of Data Traffic in Jointly Used Network Environments
---------+COS-06.01B
---------+COS-06.01AC
---------+COS-06 Supplementary Information - Complementary Customer Criteria
------+COS-07 Documentation of the Network Topology
---------+COS-07.01B
---------+COS-07.02B
---------+COS-07.03B
---------+COS-07.04B
------+COS-08 Policies for Data Transmission
---------+COS-08.01B
---------+COS-08.02B
---------+COS-08 Supplementary Information - Complementary Customer Criteria
---+Cryptography and Key Management (CRY)
------+CRY-01 Policy for the Use of Cryptographic Mechanisms
---------+CRY-01.01B
---------+CRY-01.02B
---------+CRY-01.01AC
---------+CRY-01.02AC
---------+CRY-01.03AC
------+CRY-02 Cryptographic Change Management
---------+CRY-02.01B
---------+CRY-02.02B
---------+CRY-02.03B
---------+CRY-02 Supplementary Information - Complementary Customer Criteria
------+CRY-03 Review of Cryptography Practices
---------+CRY-03.01B
---------+CRY-03.02B
------+CRY-04 Protection of Data for Transmission (Transport Protection)
---------+CRY-04.01B
---------+CRY-04.02B
---------+CRY-04.01AS
---------+CRY-04 Supplementary Information - Complementary Customer Criteria
------+CRY-05 Encryption of Sensitive Data at Rest
---------+CRY-05.01B
---------+CRY-05.02B
---------+CRY-05.03B
---------+CRY-05.04B
---------+CRY-05.05B
---------+CRY-05.01AC
---------+CRY-05 Supplementary Information - Complementary Customer Criteria
------+CRY-06 Secure Key Generation
---------+CRY-06.01B
------+CRY-07 Rotation of Cryptographic Keys
---------+CRY-07.01B
------+CRY-08 Public-Key Certificate Issuance
---------+CRY-08.01B
---------+CRY-08 Supplementary Information - Complementary Customer Criteria
------+CRY-09 Secure Key Provisioning
---------+CRY-09.01B
---------+CRY-09.02B
------+CRY-10 Secure Storage of Keys
---------+CRY-10.01B
---------+CRY-10.01AC
------+CRY-11 Cryptographic Key Archival
---------+CRY-11.01B
------+CRY-12 Cryptographic Key Transition Management
---------+CRY-12.01B
------+CRY-13 Handling of Compromised Keys
---------+CRY-13.01B
---------+CRY-13.02B
------+CRY-14 Secure Deactivation of Cryptographic Keys
---------+CRY-14.01B
------+CRY-15 Requirements for Pre-Shared Keys
---------+CRY-15.01B
------+CRY-16 Operational Continuity for Key Management
---------+CRY-16.01B
---------+CRY-16.02B
------+CRY-17 Cryptographic Key Lifecycle Management
---------+CRY-17.01B
---------+CRY-17.02B
------+CRY-18 Usage of External Key Management Systems
---------+CRY-18.01B
---------+CRY-18 Supplementary Information - Complementary Customer Criteria
------+CRY-19 Secure Handling of Customer Managed Keys
---------+CRY-19.01B
---------+CRY-19 Supplementary Information - Complementary Customer Criteria
---+Procurement, Development and Modification of Information Systems (DEV)
------+DEV-01 Policies for the Development/Procurement of System Components
---------+DEV-01.01B
---------+DEV-01.02B
---------+DEV-01.03B
---------+DEV-01.01AC
------+DEV-02 Outsourcing of the Development
---------+DEV-02.01B
---------+DEV-02.02B
---------+DEV-02.01AC
---------+DEV-02.02AC
------+DEV-03 Policies for Changes to System Components
---------+DEV-03.01B
------+DEV-04 Safety Training and Awareness Programme Regarding Continuous Software Delivery and Associated Systems, Components or Tools
---------+DEV-04.01B
---------+DEV-04.02B
------+DEV-05 Design Documentation for Security Features
---------+DEV-05.01B
------+DEV-06 Risk Assessment, Categorisation and Prioritisation of Changes
---------+DEV-06.01B
---------+DEV-06.02B
---------+DEV-06.01AC
------+DEV-07 Testing Changes
---------+DEV-07.01B
---------+DEV-07.02B
---------+DEV-07.03B
---------+DEV-07.04B
---------+DEV-07.05B
---------+DEV-07.01AC
---------+DEV-07 Supplementary Information - Complementary Customer Criteria
------+DEV-08 Logging of Changes
---------+DEV-08.01B
---------+DEV-08.02B
---------+DEV-08.01AC
------+DEV-09 Version Control
---------+DEV-09.01B
---------+DEV-09.02B
---------+DEV-09.03B
---------+DEV-09.01AC
---------+DEV-09.02AC
------+DEV-10 Approvals for Provision in the Production Environment
---------+DEV-10.01B
---------+DEV-10.02B
---------+DEV-10.01AC
---------+DEV-10 Supplementary Information - Complementary Customer Criteria
------+DEV-11 Protection of Development and Test Environments
---------+DEV-11.01B
------+DEV-12 Separation of Environments
---------+DEV-12.01B
---------+DEV-12.02B
------+DEV-13 Transparency about Software Components
---------+DEV-13.01B
---------+DEV-13.02B
------+DEV-14 Secure Use of Third Party Hardware and Software
---------+DEV-14.01B
---------+DEV-14.02B
---------+DEV-14.03B
---------+DEV-14.01AC
------+DEV-15 Exceptions to the Change Management Process
---------+DEV-15.01B
---+Information on the General Conditions of the Cloud Service
------+GC-01 Information on applicable law, jurisdiction, countries, partitions, regions, zones and locations
------+GC-02 Information on availability and incident handling during regular operation
------+GC-03 Information on recovery parameters in emergency operation
------+GC-04 Information on the approach to ensuring service availability
------+GC-05 Information on how investigation requests from government agencies are handled
------+GC-06 Information on certifications or attestations
---+Personnel (HR)
------+HR-01 Verification of Qualification and Trustworthiness
---------+HR-01.01B
---------+HR-01.02B
---------+HR-01.03B
---------+HR-01.04B
---------+HR-01.05B
---------+HR-01.06B
---------+HR-01.01AC
------+HR-02 Employment Terms and Conditions
---------+HR-02.01B
---------+HR-02.02B
---------+HR-02.03B
---------+HR-02.04B
---------+HR-02.05B
------+HR-03 Security Training and Awareness Programme
---------+HR-03.01B
---------+HR-03.02B
---------+HR-03.03B
---------+HR-03.04B
---------+HR-03.01AC
---------+HR-03.02AC
---------+HR-03.03AC
---------+HR-03.04AC
---------+HR-03.05AC
---------+HR-03.02AS
------+HR-04 Disciplinary Measures
---------+HR-04.01B
---------+HR-04.02B
---------+HR-04.03B
---------+HR-04.04B
------+HR-05 Responsibilities in the Event of Termination or Change of Employment
---------+HR-05.01B
------+HR-06 Non-disclosure Agreements
---------+HR-06.01B
---------+HR-06.02B
---------+HR-06.03B
---------+HR-06.04B
---------+HR-06.05B
---------+HR-06.06B
------+HR-07 Remote Working - Policy
---------+HR-07.01B
------+HR-08 Remote Working - Implementation
---------+HR-08.01B
---+Identity and Access Management (IAM)
------+IAM-01 Policy for Identities and Access Rights
---------+IAM-01.01B
---------+IAM-01.02B
---------+IAM-01.03B
---------+IAM-01.01AC
------+IAM-02 Granting and Change of Identities and Access Rights
---------+IAM-02.01B
---------+IAM-02.02B
---------+IAM-02.03B
------+IAM-03 Risk-Based Procedure for Locking and Withdrawal of Identities
---------+IAM-03.01B
---------+IAM-03.02B
---------+IAM-03.03B
---------+IAM-03.04B
---------+IAM-03.01AC
---------+IAM-03.02AC
---------+IAM-03.03AC
---------+IAM-03.03AS
------+IAM-04 Withdrawal or Adjustment of Access Rights as the Task Area Changes
---------+IAM-04.01B
---------+IAM-04.02B
---------+IAM-04.03B
---------+IAM-04.04B
---------+IAM-04.05B
------+IAM-05 Regular Review of Access Rights
---------+IAM-05.01B
---------+IAM-05.02B
---------+IAM-05.03B
---------+IAM-05.04B
---------+IAM-05.05B
---------+IAM-05.01AC
------+IAM-06 Privileged Access Rights
---------+IAM-06.01B
---------+IAM-06.02B
---------+IAM-06.03B
---------+IAM-06.04B
---------+IAM-06.05B
---------+IAM-06.06B
---------+IAM-06.07B
---------+IAM-06.08B
---------+IAM-06.09B
---------+IAM-06.01AC
---------+IAM-06.02AC
---------+IAM-06.03AC
---------+IAM-06.04AC
------+IAM-07 Access to Cloud Service Customer Data
---------+IAM-07.01B
---------+IAM-07.02B
---------+IAM-07.03B
---------+IAM-07.04B
---------+IAM-07.05B
---------+IAM-07.06B
---------+IAM-07.01AC
---------+IAM-07.02AC
---------+IAM-07.03AC
---------+IAM-07.04AC
---------+IAM-07.03AS
---------+IAM-07.04AS
---------+IAM-07.06AS
---------+IAM-07 Supplementary Information - Complementary Customer Criteria
------+IAM-08 Authentication Mechanisms
---------+IAM-08.01B
---------+IAM-08.02B
---------+IAM-08.03B
---------+IAM-08.04B
---------+IAM-08.05B
---------+IAM-08.06B
---------+IAM-08.07B
---------+IAM-08.02AS
---------+IAM-08.03AS
------+IAM-09 Confidentiality of Authentication Information
---------+IAM-09.01B
---------+IAM-09.02B
---------+IAM-09.03B
---------+IAM-09.04B
---------+IAM-09.05B
---------+IAM-09.06B
---------+IAM-09.07B
---------+IAM-09.01AC
---+Dealing with Investigation Requests from Government Agencies (INQ)
------+INQ-01 Legal Assessment of Investigation Requests
---------+INQ-01.01B
---------+INQ-01.02B
---------+INQ-01 Supplementary Information - Complementary Customer Criteria
------+INQ-02 Informing Cloud Service Customers about Investigation Requests
---------+INQ-02.01B
---------+INQ-02 Supplementary Information - Complementary Customer Criteria
------+INQ-03 Limiting Access to or Disclosure of Data in Investigation Requests
---------+INQ-03.01B
---------+INQ-03.02B
---------+INQ-03.01AC
---------+INQ-03.02AC
------+INQ-04 Communication of Technical Procedures for Data Disclosure in Investigation Requests
---------+INQ-04.01B
---------+INQ-04.02B
---------+INQ-04.03B
---------+INQ-04 Supplementary Information - Complementary Customer Criteria
---+Organisation of Information Security (OIS)
------+OIS-01 Information Security Management System (ISMS)
---------+OIS-01.01B
---------+OIS-01.02B
---------+OIS-01.03B
---------+OIS-01.01AC
---------+OIS-01.01AS
------+OIS-02 Information Security Policy
---------+OIS-02.01B
---------+OIS-02.02B
---------+OIS-02.03B
------+OIS-03 Interfaces and Dependencies
---------+OIS-03.01B
---------+OIS-03.02B
---------+OIS-03.03B
---------+OIS-03.04B
---------+OIS-03.05B
---------+OIS-03 Supplementary Information - Complementary Customer Criteria
------+OIS-04 Segregation of Duties
---------+OIS-04.01B
---------+OIS-04.02B
---------+OIS-04.03B
---------+OIS-04.04B
---------+OIS-04.01AC
---------+OIS-04.02AC
------+OIS-05 Threat Intelligence
---------+OIS-05.01B
---------+OIS-05.02B
---------+OIS-05.03B
------+OIS-06 Contact with Relevant Government Agencies and Interest Groups
---------+OIS-06.01B
------+OIS-07 Risk Management Policy
---------+OIS-07.01B
------+OIS-08 Application of the Risk Management Policy - Risk Assessment
---------+OIS-08.01B
---------+OIS-08.02B
---------+OIS-08.03B
---------+OIS-08.04B
---------+OIS-08.05B
---------+OIS-08.06B
---------+OIS-08.01AC
---------+OIS-08.02AC
---------+OIS-08.01AS
------+OIS-09 Application of the Risk Management Policy - Risk Treatment
---------+OIS-09.01B
---------+OIS-09.02B
---------+OIS-09.03B
---------+OIS-09.04B
---------+OIS-09.05B
---------+OIS-09.06B
---------+OIS-09.07B
------+OIS-10 Information Security in Project Management
---------+OIS-10.01B
---+Operations (OPS)
------+OPS-01 Capacity Management - Planning
---------+OPS-01.01B
---------+OPS-01.02B
---------+OPS-01.03B
---------+OPS-01.01AC
---------+OPS-01 Supplementary Information - Complementary Customer Criteria
------+OPS-02 Capacity Management - Monitoring
---------+OPS-02.01B
---------+OPS-02.02B
---------+OPS-02.01AC
---------+OPS-02 Supplementary Information - Complementary Customer Criteria
------+OPS-03 Capacity Management - Controlling of Resources
---------+OPS-03.01B
---------+OPS-03.02B
---------+OPS-03 Supplementary Information - Complementary Customer Criteria
------+OPS-04 Protection Against Malware - Policies and Procedures
---------+OPS-04.01B
------+OPS-05 Protection Against Malware - Implementation
---------+OPS-05.01B
---------+OPS-05.02B
---------+OPS-05.03B
---------+OPS-05.01AC
---------+OPS-05.02AC
---------+OPS-05.03AC
---------+OPS-05.02AS
---------+OPS-05 Supplementary Information - Complementary Customer Criteria
------+OPS-06 Data Backup and Recovery - Policies and Procedures
---------+OPS-06.01B
---------+OPS-06.01AS
---------+OPS-06 Supplementary Information - Complementary Customer Criteria
------+OPS-07 Data Backup and Recovery - Monitoring
---------+OPS-07.01B
---------+OPS-07.02B
---------+OPS-07.01AC
---------+OPS-07 Supplementary Information - Complementary Customer Criteria
------+OPS-08 Data Backup and Recovery - Regular Testing
---------+OPS-08.01B
---------+OPS-08.02B
---------+OPS-08.03B
---------+OPS-08.04B
---------+OPS-08.05B
---------+OPS-08.01AC
---------+OPS-08.02AC
---------+OPS-08 Supplementary Information - Complementary Customer Criteria
------+OPS-09 Data Backup and Recovery - Storage
---------+OPS-09.01B
---------+OPS-09.02B
---------+OPS-09.03B
---------+OPS-09.04B
---------+OPS-09.05B
------+OPS-10 Logging and Monitoring - Policies and Procedures
---------+OPS-10.01B
---------+OPS-10 Supplementary Information - Complementary Customer Criteria
------+OPS-11 Logging and Monitoring - Policies and Procedures for Handling Cloud Service Derived Data and Account Data
---------+OPS-11.01B
---------+OPS-11.02B
---------+OPS-11.01AC
---------+OPS-11.02AC
---------+OPS-11 Supplementary Information - Complementary Customer Criteria
------+OPS-12 Logging and Monitoring - Access, Retention and Deletion
---------+OPS-12.01B
------+OPS-13 Logging and Monitoring - Security Information and Event Management
---------+OPS-13.01B
---------+OPS-13.02B
---------+OPS-13.01AC
---------+OPS-13.02AC
---------+OPS-13.03AC
------+OPS-14 Logging and Monitoring - Retention of the Logging Data
---------+OPS-14.01B
---------+OPS-14.02B
---------+OPS-14.03B
---------+OPS-14 Supplementary Information - Complementary Customer Criteria
------+OPS-15 Logging and Monitoring - Accountability
---------+OPS-15.01B
---------+OPS-15.02B
---------+OPS-15.03B
---------+OPS-15.01AC
---------+OPS-15.02AC
---------+OPS-15 Supplementary Information - Complementary Customer Criteria
------+OPS-16 Logging and Monitoring - Configuration
---------+OPS-16.01B
---------+OPS-16.02B
------+OPS-17 Logging and Monitoring - Availability of the Monitoring Software
---------+OPS-17.01B
---------+OPS-17.02B
---------+OPS-17.01AC
---------+OPS-17.02AC
------+OPS-18 Managing Vulnerabilities - Policies and Procedures
---------+OPS-18.01B
---------+OPS-18.02B
---------+OPS-18.03B
---------+OPS-18.04B
---------+OPS-18.05B
---------+OPS-18 Supplementary Information - Complementary Customer Criteria
------+OPS-19 Managing Incidents and Crashes - Policies and Procedures
---------+OPS-19.01B
------+OPS-20 Managing Incidents - Implementation
---------+OPS-20.01B
------+OPS-21 Managing Crashes - Implementation
---------+OPS-21.01B
------+OPS-22 Managing Vulnerabilities, Incidents and Crashes - Penetration Tests
---------+OPS-22.01B
---------+OPS-22.02B
---------+OPS-22.03B
---------+OPS-22.04B
---------+OPS-22.05B
---------+OPS-22.06B
---------+OPS-22.07B
---------+OPS-22.08B
---------+OPS-22.01AC
---------+OPS-22.02AC
---------+OPS-22.03AC
---------+OPS-22.04AC
---------+OPS-22.05AC
---------+OPS-22.01AS
---------+OPS-22.02AS
---------+OPS-22.03AS
------+OPS-23 Managing Vulnerabilities, Incidents and Crashes - Measurements, Analyses and Assessments of Procedures
---------+OPS-23.01B
---------+OPS-23.02B
------+OPS-24 Involvement of Cloud Service Customers in the Event of Incidents
---------+OPS-24.01B
---------+OPS-24.02B
---------+OPS-24.01AC
---------+OPS-24 Supplementary Information - Complementary Customer Criteria
------+OPS-25 Managing Vulnerabilities, Incidents and Crashes - Vulnerability Scans
---------+OPS-25.01B
---------+OPS-25.02B
---------+OPS-25.03B
---------+OPS-25.04B
---------+OPS-25.01AC
---------+OPS-25.01AS
---------+OPS-25.02AS
---------+OPS-25 Supplementary Information - Complementary Customer Criteria
------+OPS-26 Managing Vulnerabilities, Incidents and Crashes - System Hardening
---------+OPS-26.01B
---------+OPS-26.02B
---------+OPS-26.03B
---------+OPS-26.04B
---------+OPS-26.05B
---------+OPS-26.06B
---------+OPS-26.05AS
---------+OPS-26 Supplementary Information - Complementary Customer Criteria
------+OPS-27 Managing Vulnerabilities - Patch Management Policies and Procedures
---------+OPS-27.01B
---------+OPS-27.02B
---------+OPS-27.03B
---------+OPS-27.04B
---------+OPS-27.03AS
------+OPS-28 Managing Vulnerabilities - Patch Management Implementation
---------+OPS-28.01B
------+OPS-29 Managing Vulnerabilities, Incidents and Crashes - Externally Sourced Components
---------+OPS-29.01B
------+OPS-30 Separation of Datasets - Policies and Procedures
---------+OPS-30.01B
------+OPS-31 Separation of Datasets - Implementation
---------+OPS-31.01B
---------+OPS-31.02B
---------+OPS-31.03B
---------+OPS-31 Supplementary Information - Complementary Customer Criteria
------+OPS-32 Confidential Computing - Policies and Procedures
---------+OPS-32.01B
---------+OPS-32.02B
---------+OPS-32.03B
---------+OPS-32.01AC
------+OPS-33 Confidential Computing - Remote Attestation
---------+OPS-33.01B
---------+OPS-33.02B
---------+OPS-33.03B
---------+OPS-33.01AC
---------+OPS-33.02AC
------+OPS-34 Container Management - Policies and Procedures
---------+OPS-34.01B
---------+OPS-34.02B
---------+OPS-34.01AC
------+OPS-35 Container Management - Implementation
---------+OPS-35.01B
---+Portability and Interoperability (PI)
------+PI-01 Safety of Input and Output Interfaces
---------+PI-01.01B
---------+PI-01.02B
---------+PI-01.01AC
---------+PI-01.02AC
---------+PI-01.03AC
---------+PI-01 Supplementary Information - Complementary Customer Criteria
------+PI-02 Contractual Agreements for the Provision of Data
---------+PI-02.01B
---------+PI-02.01AC
---------+PI-02.02AC
---------+PI-02 Supplementary Information - Complementary Customer Criteria
------+PI-03 Secure Deletion of Data
---------+PI-03.01B
---------+PI-03.02B
---------+PI-03.03B
---------+PI-03 Supplementary Information - Complementary Customer Criteria
---+Physical Security (PS)
------+PS-01 Physical Security and Environmental Control Requirements
---------+PS-01.01B
---------+PS-01.02B
---------+PS-01.03B
---------+PS-01.04B
---------+PS-01.05B
---------+PS-01.06B
---------+PS-01.01AC
---------+PS-01.02AC
---------+PS-01.03AC
---------+PS-01.04AC
---------+PS-01.05AC
------+PS-02 Redundancy Model
---------+PS-02.01B
---------+PS-02.02B
---------+PS-02.03B
---------+PS-02.01AS
---------+PS-02.02AS
---------+PS-02 Supplementary Information - Complementary Customer Criteria
------+PS-03 Perimeter Protection
---------+PS-03.01B
---------+PS-03.02B
---------+PS-03.03B
---------+PS-03.04B
---------+PS-03.05B
---------+PS-03.06B
---------+PS-03.01AC
------+PS-04 Physical Site Access Control
---------+PS-04.01B
---------+PS-04.02B
---------+PS-04.03B
------+PS-05 Protection against Threats from Outside and from the Environment
---------+PS-05.01B
---------+PS-05.02B
---------+PS-05.03B
---------+PS-05.04B
------+PS-06 Protection against Interruptions caused by Power Failures and similar Risks to Supply Facilities
---------+PS-06.01B
---------+PS-06.02B
---------+PS-06.03B
---------+PS-06.01AC
---------+PS-06.02AC
---------+PS-06.03AC
---------+PS-06.04AC
------+PS-07 Surveillance of Operational and Environmental Parameters
---------+PS-07.01B
---------+PS-07.02B
------+PS-08 Workplace Security Requirements
---------+PS-08.01B
---+Product Safety and Security (PSS)
------+PSS-01 Guidelines and Recommendations for Cloud Service Customers
---------+PSS-01.01B
---------+PSS-01.02B
---------+PSS-01.03B
---------+PSS-01.04B
---------+PSS-01.01AC
---------+PSS-01 Supplementary Information - Complementary Customer Criteria
------+PSS-02 Identification of Vulnerabilities of the Cloud Service
---------+PSS-02.01B
---------+PSS-02.02B
---------+PSS-02.03B
---------+PSS-02.01AC
------+PSS-03 Informing Customers about Known Vulnerabilities
---------+PSS-03.01B
---------+PSS-03.02B
---------+PSS-03.03B
---------+PSS-03.04B
---------+PSS-03.05B
---------+PSS-03.01AC
---------+PSS-03.02AC
---------+PSS-03 Supplementary Information - Complementary Customer Criteria
------+PSS-04 Error handling and Logging Mechanisms
---------+PSS-04.01B
---------+PSS-04.02B
---------+PSS-04.03B
---------+PSS-04.04B
---------+PSS-04.05B
---------+PSS-04.06B
---------+PSS-04.01AC
---------+PSS-04 Supplementary Information - Complementary Customer Criteria
------+PSS-05 Authentication Mechanisms
---------+PSS-05.01B
---------+PSS-05.02B
---------+PSS-05.01AC
---------+PSS-05 Supplementary Information - Complementary Customer Criteria
------+PSS-06 Session Management
---------+PSS-06.01B
---------+PSS-06.02B
---------+PSS-06 Supplementary Information - Complementary Customer Criteria
------+PSS-07 Confidentiality of Authentication Information
---------+PSS-07.01B
---------+PSS-07.02B
---------+PSS-07.03B
---------+PSS-07 Supplementary Information - Complementary Customer Criteria
------+PSS-08 Roles and Rights Framework
---------+PSS-08.01B
---------+PSS-08.02B
---------+PSS-08.03B
---------+PSS-08.04B
---------+PSS-08 Supplementary Information - Complementary Customer Criteria
------+PSS-09 Authorisation Mechanisms
---------+PSS-09.01B
---------+PSS-09.02B
---------+PSS-09.03B
---------+PSS-09.01AC
---------+PSS-09 Supplementary Information - Complementary Customer Criteria
------+PSS-10 Software Defined Networking
---------+PSS-10.01B
---------+PSS-10.02B
---------+PSS-10 Supplementary Information - Complementary Customer Criteria
------+PSS-11 Images for Virtual Machines and Containers
---------+PSS-11.01B
---------+PSS-11.01AC
---------+PSS-11.02AC
---------+PSS-11 Supplementary Information - Complementary Customer Criteria
------+PSS-12 Region of Data Processing and Storage
---------+PSS-12.01B
---------+PSS-12.02B
---------+PSS-12.03B
---------+PSS-12.04B
---------+PSS-12.01AC
---------+PSS-12.02AC
---------+PSS-12.01AS
---------+PSS-12.02AS
---------+PSS-12 Supplementary Information - Complementary Customer Criteria
---+Security Incident Management (SIM)
------+SIM-01 Policy for Security Incident Management
---------+SIM-01.01B
---------+SIM-01.02B
---------+SIM-01.03B
---------+SIM-01.04B
---------+SIM-01 Supplementary Information - Complementary Customer Criteria
------+SIM-02 Security Incident Response Plans
---------+SIM-02.01B
---------+SIM-02.02B
------+SIM-03 Processing of Security Incidents
---------+SIM-03.01B
---------+SIM-03.02B
---------+SIM-03.03B
---------+SIM-03.04B
---------+SIM-03.05B
---------+SIM-03.06B
---------+SIM-03.07B
---------+SIM-03.01AC
---------+SIM-03.02AC
---------+SIM-03.03AC
------+SIM-04 Documentation and Reporting of Security Incidents
---------+SIM-04.01B
---------+SIM-04.02B
---------+SIM-04.01AC
---------+SIM-04.02AC
---------+SIM-04 Supplementary Information - Complementary Customer Criteria
------+SIM-05 Duty of the Personnel to Report Security Incidents to a Central Body
---------+SIM-05.01B
---------+SIM-05.02B
---------+SIM-05.03B
---------+SIM-05 Supplementary Information - Complementary Customer Criteria
------+SIM-06 Evaluation and Learning Process
---------+SIM-06.01B
---------+SIM-06.02B
---------+SIM-06.03B
---------+SIM-06.04B
---------+SIM-06 Supplementary Information - Complementary Customer Criteria
---+Security Policies and Procedures (SP)
------+SP-01 Documentation, Communication and Provision of Policies and Procedures
---------+SP-01.01B
---------+SP-01.02B
---------+SP-01.03B
---------+SP-01.04B
------+SP-02 Review and Approval of Policies and Procedures
---------+SP-02.01B
---------+SP-02.02B
------+SP-03 Exceptions from Existing Policies and Procedures
---------+SP-03.01B
---------+SP-03.02B
---------+SP-03.03B
---------+SP-03.04B
---------+SP-03.05B
---------+SP-03.01AC
---------+SP-03.02AC
---------+SP-03.03AC
---------+SP-03 Supplementary Information - Complementary Customer Criteria
---+Control and Monitoring of Service Providers and Suppliers (SSO)
------+SSO-01 Policies and Procedures for Controlling and Monitoring Service Organisations
---------+SSO-01.01B
---------+SSO-01.01AC
---------+SSO-01.02AC
------+SSO-02 Risk Assessment of Service Organisations
---------+SSO-02.01B
---------+SSO-02.02B
------+SSO-03 Data Processing of Service Organisations
---------+SSO-03.01B
---------+SSO-03.02B
---------+SSO-03.01AS
------+SSO-04 Directory of Service Organisations
---------+SSO-04.01B
---------+SSO-04.02B
------+SSO-05 Monitoring of Compliance with Requirements
---------+SSO-05.01B
---------+SSO-05.02B
---------+SSO-05.03B
---------+SSO-05.04B
---------+SSO-05.05B
---------+SSO-05.06B
---------+SSO-05.07B
---------+SSO-05.01AC
---------+SSO-05.02AC
---------+SSO-05.03AC
---------+SSO-05 Supplementary Information - Complementary Customer Criteria
------+SSO-06 Contract Termination Strategy for Service Organisations
---------+SSO-06.01B
---------+SSO-06.02B
------+SSO-07 Ensuring Transparency within Service Organisations
---------+SSO-07.01B
---------+SSO-07.02B
---------+SSO-07.01AS
------+SSO-08 Controlling Exchanges with Suppliers of Functional Components
---------+SSO-08.01B
---------+SSO-08.02B
---------+SSO-08.03B
|
1. Übersicht
C5:2026
C5:2026
| Bezeichnung |
Standard |
|
Asset Management (AM)
|
Objective: Identify the organisation’s own assets and ensure an appropriate level of protection throughout their lifecycle.
|
|
Business Continuity Management (BCM)
|
Objective: Plan, implement, maintain and test procedures and measuresfor business continuity and emergency management.
|
|
Compliance (COM)
|
Objective: Avoid non-compliance with legal, regulatory, self-imposed or contractual information security and compliance requirements.
|
|
Communication Security (COS)
|
Objective: Ensure the protection of information in networks and the corresponding information processing systems.
|
|
Cryptography and Key Management (CRY)
|
Objective: Ensure appropriate and effective use of cryptography to protect the confidentiality, authenticity or integrity of information.
|
|
Procurement, Development and Modification of Information Systems (DEV)
|
Objective: Ensure information security in the development cycle of cloud service system components.
|
|
Information on the General Conditions of the Cloud Service
|
The information on the general conditions of the cloud service - also called ‘General Conditions’ or
‘GC’ forshort- servesto provide cloud service customers with additional information on the level of
information security offered by the cloud service. The information enables cloud service customers
to assess the suitability of the cloud service for their individual use case. They are also intended
to ensure a comparable reporting to make it easier for cloud service customers to compare several
cloud service providers or cloud services for which a C5 report has been issued.
Since in the case of a direct engagement, the audit is not based on a system description provided
by the cloud service provider, the auditor shall document details of the general conditions in accordance with the information provided by the cloud service provider (cf. section 3.4).
The information is prepared to meetthe common needs of a broad range ofsubject matter experts of
the cloud service customers who define or implement information security requirements, validate
their effectiveness or assessthe suitability ofthe cloud service from a legal and regulatory perspective
(e.g. IT, compliance, internal audit).
|
|
Personnel (HR)
|
Objective: Ensure that personnel understands its responsibilities, is aware of its responsibilities regarding information security, and that the organisation’s assets are protected in the event of changes in responsibilities or termination.
|
|
Identity and Access Management (IAM)
|
Objective: Secure the authorisation and authentication of users of the cloud service provider to prevent unauthorised access.
|
|
Dealing with Investigation Requests from Government Agencies (INQ)
|
Objective: Ensure appropriate handling of government investigation requests for legal review, information to cloud service customers, and limitation of access to or disclosure of data.
|
|
Organisation of Information Security (OIS)
|
Objective: Plan, implement, maintain and continuously improve the information security framework within the organisation.
|
|
Operations (OPS)
|
Objective: Ensure proper and regular operation, including appropriate measures for planning and monitoring capacity, protection against malware, logging and monitoring events, and dealing with vulnerabilities, malfunctions and failures.
|
|
Portability and Interoperability (PI)
|
Objective: Enable the ability to access the cloud service via other cloud services or IT systems of the cloud service customers, to obtain the stored data at the end of the contractual relationship and to securely delete it from the cloud service provider.
|
|
Physical Security (PS)
|
Objective: Prevent unauthorised physical access and protect against theft, damage, loss and outage of operations
|
|
Product Safety and Security (PSS)
|
Objective: Provide up-to-date information on the secure configuration and known vulnerabilities of the cloud service for cloud service customers, appropriate mechanisms for troubleshooting and logging, as well as authentication and authorisation of users of cloud service customers
|
|
Security Incident Management (SIM)
|
Objective: Ensure a consistent and comprehensive approach to the capturing, evaluation, communication and handling of security incidents.
|
|
Security Policies and Procedures (SP)
|
Objective: Provide policies and proceduresregarding security requirements and to support business requirements
|
|
Control and Monitoring of Service Providers and Suppliers (SSO)
|
Objective: Ensure the protection of information that service providers or suppliers of the cloud service provider (service organisation) can access and monitor the agreed services and security requirements.
|
1.1 Referenzen
1.2 Identifizierte Anforderungen
1.2 Related Regulation
2. Identifizierte Anforderungen
Anforderungen
| Source |
Anforderung |
3. Related Regulations
Regulations
| Source |
Regulierung |
|