+COM-02 Policy for Planning and Conducting Audits
---+COM-02.01B
---+COM-02.02B
---+COM-02.01AC
---+COM-02.01AS
---+COM-02 Supplementary Information - Complementary Customer Criteria
|
1. Übersicht
COM-02 Policy for Planning and Conducting Audits
-
| Bezeichnung |
Standard |
|
COM-02.01B
|
The cloud service provider documents and implements an audit programme over multiple years that defines the scope and the frequency of the audits. The audit programme takes into consideration the management of change, policies, and the results of the risk assessment (cf. OIS-07).
An audit is a systematic, independent and documented process for obtaining objective evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled. Audits may be performed as internal audits, sometimes called first party audits, that are conducted by, or on behalf of, the organisation itself. They may also be performed as external audits, generally called second and third party audits. Second party audits are conducted by parties having an interest in the organisation, such as customers, or by other individuals on their behalf. Third party audits are conducted by independent auditing organisations.
An audit programme comprises arrangements for a set of one or more audits planned for a specific time frame and directed towards a specific purpose. The audit programme may, for example, comprise a time frame of three years, and may comprise internal and external audits.
COM-02 is fully applicable to virtual infrastructure and infrastructure as code. Audit activities might still impact operations in a virtual environment. Reviews of configurations might for example be performed as part of code reviews.
|
|
COM-02.02B
|
Risk-based policies and procedures for planning and conducting audits are documented, communicated and made available in accordance with SP-01 and address the following aspects in order to prevent adversal effects on the operation of the cloud service from the audit:
1. Restriction to read-only access to system components in accordance with the agreed audit plan and as necessary to perform the activities;
2. Activities that may result in outages, degradations of the cloud service or breaches of contractual requirements are performed during scheduled maintenance windows or outside peak periods;
3. Logging and monitoring of activities;
4. Review of server and network equipment configurations under the responsibility of the cloud service provider;
5. Intrusion testing for external access points; and
6. Source code reviews of internally developed security features.
See DEV-05 for further explanation on security features.
|
|
COM-02.01AC
|
The cloud service provider grants its cloud service customers contractually agreed information and audit rights. These rights may be exercised individually or as part of group audits.
|
|
COM-02.01AS
|
The cloud service provider documents and implements an audit programme over three years that defines the scope and the frequency of the audits. The audit programme takes into consideration the management of change, policies, and the results of the risk assessment (cf. OIS-07).
An audit is a systematic, independent and documented process for obtaining objective evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled. Audits may be performed as internal audits, sometimes called first party audits, that are conducted by, or on behalf of, the organisation itself. They may also be performed as external audits, generally called second and third party audits. Second party audits are conducted by parties having an interest in the organisation, such as customers, or by other individuals on their behalf. Third party audits are conducted by independent auditing organisations.
An audit programme comprises arrangements for a set of one or more audits planned for a specific time frame and directed towards a specific purpose. The audit programme may, for example, comprise a time frame of three years, and may comprise internal and external audits.
COM-02 is fully applicable to virtual infrastructure and infrastructure as code. Audit activities might still impact operations in a virtual environment. Reviews of configurations might for example be performed as part of code reviews.
|
|
COM-02 Supplementary Information - Complementary Customer Criteria
|
Cloud service customers ensure with suitable controls that appropriate responses are made to outages or degradations of the cloud service through such audits.
To the extent that contractually agreed information and audit rights exist, the cloud service customers ensure with suitable controls that these rights are designed and executed in accordance with their own requirements.
|
1.1 Referenzen
1.2 Identifizierte Anforderungen
1.2 Related Regulation
2. Identifizierte Anforderungen
Anforderungen
| Source |
Anforderung |
3. Related Regulations
Regulations
| Source |
Regulierung |
|