+AM-09 Asset Classification and Labelling
---+AM-09.01B
---+AM-09.02B
---+AM-09.03B
---+AM-09.04B
---+AM-09.01AC
---+AM-09.02AC
---+AM-09.03AC
---+AM-09.04AC
---+AM-09 Supplementary Information - Complementary Customer Criteria

1. Übersicht

AM-09 Asset Classification and Labelling

-
AM-09.01B Assets are classified and, if possible, labelled. Classification and labelling of an asset reflect the protection needs of the category of cloud service customer data, cloud service derived data, cloud service provider data and account data it processes, stores, or transmits.

If the cloud service provider does not categorise the assets specifically, then all assets may be treated as requiring the highest level of protection needs.
AM-09.02B Classification levels are reviewed at least annually and in case of significant changes to the cloud service. Based on the review, the classification levels are updated where appropriate.

If the cloud service provider does not categorise the assets specifically, then all assets may be treated as requiring the highest level of protection needs.

If a review is caused by significant changes to the cloud service, only the classification levels affected by the changes need to be included in the review.
AM-09.03B The protection need is determined by the individuals or groups responsible for the assets of the cloud service provider according to a uniform and documented classification schema.

If the cloud service provider does not categorise the assets specifically, then all assets may be treated as requiring the highest level of protection needs.
AM-09.04B The classification schema provides levels of protection for the confidentiality, integrity, availability, and authenticity protection objectives. These protection objectives are aligned with delivery and recovery objectives set out in business and disaster recovery plans.

If the cloud service provider does not categorise the assets specifically, then all assets may be treated as requiring the highest level of protection needs.
AM-09.01AC The unique identification of physical devices serves as an additional method for connection authentication.

To ensure that all physical assets are uniquely identified, the cloud service provider may implement practices such as:

1. Use of a centralised device management platform to monitor and control all devices;
2. Assigning unique identifiers (e.g. MAC addresses, serial numbers) to all devices; and
3. Use of automated mechanisms to register connecting devices.
AM-09.02AC Device identification is integrated into the asset classification and labeling processes.

Integrating device identification ensures that each asset is uniquely recognised and appropriately classified based on its protection needs. This is particularly important for mobile and endpoint devices, which may carry sensitive data or serve as access points to cloud services. Proper labeling supports traceability, risk assessment, and enforcement of security controls throughout the asset lifecycle.
AM-09.03AC Logging and monitoring applications take the asset protection needs into account in order to inform the responsible stakeholder of events that could lead to a violation of the protection goals, so that the necessary measures are taken with an appropriate priority.
AM-09.04AC Actions for events on assets with a higher level of protection take precedence over events on assets with a lower protection need.
AM-09 Supplementary Information - Complementary Customer Criteria Cloud service customers ensure with suitable controls that the protection need of the information that can be processed or stored with the cloud service is adequately determined.

Cloud service customers ensure with suitable controls that the information processed or stored with the cloud service is protected against tampering, copying, modifying, redirecting or deleting in accordance with its protection needs.

1.1 Referenzen

1.2 Identifizierte Anforderungen

1.2 Related Regulation

2. Identifizierte Anforderungen

Anforderungen

3. Related Regulations

Regulations
Impressum