+COM-04 Information on Information Security Performance and Management Assessment of the ISMS
---+COM-04.01B
---+COM-04.01AC
---+COM-04.02AC

1. Übersicht

COM-04 Information on Information Security Performance and Management Assessment of the ISMS

-

Bezeichnung	Standard
COM-04.01B	The top management of the cloud service provider is regularly informed about the information security performance within the scope of the ISMS in order to ensure its continued suitability, adequacy and effectiveness. The information is included in the management review of the ISMS. This management review is performed at least once a year. The top management is a natural person or group of people who take final decisions for the institution and are accountable for these. The aspects to be dealt with in the management review of the ISMS are listed in section 9.3 of ISO / IEC 27001.
COM-04.01AC	The cloud service provider defines and implements technical and operational metrics that align with the organisation's business objectives, security requirements, and compliance obligations. These metrics are documented and included in the management review of the ISMS to ensure their continued suitability, adequacy, and effectiveness.
COM-04.02AC	The responsible business units of the cloud service provider report at least annually to the top management on the the status and effectiveness of the policies and procedures that are relevant to the top management review of the information security management system. This reporting includes at least: 1. Implemented changes to address cybersecurity risks for the topic addressed in the policy or procedure; 2. Information security incidents for the topic addressed in the policy or procedure and the follow-up; 3. Performance of the internal controls regarding information security for the topic addressed in the policy or procedure; and 4. Planned changes for the topic addressed in the policy or procedure to address cybersecurity risks and information security and cybersecurity.

1.1 Referenzen

1.2 Identifizierte Anforderungen

1.2 Related Regulation

2. Identifizierte Anforderungen

Anforderungen
Source	Anforderung

3. Related Regulations

Regulations
Source	Regulierung

Cloud Computing Compliance Criteria Catalogue (C5:2026) -
Copyright by Bundesamt für Sicherheit in der Informationstechnik (https://www.bsi.bund.de/)

https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfehlungen/Empfehlungen-nach-Angriffszielen/Cloud-Computing/Kriterienkatalog-C5/C5_2025/C5_2025_node.html

Impressum