+BCM-04.01B

1. Übersicht

BCM-04.01B

Business continuity plans are tested on a regular basis (at least annually) or after significant organisational or environmental changes. Tests involve affected cloud service customers and relevant third parties (e.g. service organisations).

Tests are primarily conducted at the operational level and are aimed at operational target groups. Tests include e.g.:

1. Test of technical precautionary safeguards;
2. Functional tests; and
3. Plan review.

Exercises also take place on a tactical and strategic level. These include e.g.:

1. Plan meeting;
2. Personnel exercise;
3. Command post exercise;
4. Communication and alerting exercise;
5. Simulation of scenarios; and
6. Emergency or full exercise.

Relevant third parties are in particular service organisations of the cloud service provider who contribute to the development or operation of the cloud service (cf. basic criteria SSO-02 and SSO-06). A cloud service customer is affected (in the sense of this criterion) if the test or excercise leads to a service downgrade outside of the level defined in the SLA or if the effectiveness of the plans can only be tested if the cloud service customer has to take action.

Bezeichnung	Standard

1.1 Referenzen

1.2 Identifizierte Anforderungen

1.2 Related Regulation

2. Identifizierte Anforderungen

Anforderungen
Source	Anforderung

3. Related Regulations

Regulations
Source	Regulierung

Cloud Computing Compliance Criteria Catalogue (C5:2026) -
Copyright by Bundesamt für Sicherheit in der Informationstechnik (https://www.bsi.bund.de/)

https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfehlungen/Empfehlungen-nach-Angriffszielen/Cloud-Computing/Kriterienkatalog-C5/C5_2025/C5_2025_node.html