+CRY-03 Review of Cryptography Practices
---+CRY-03.01B
---+CRY-03.02B

1. Übersicht

CRY-03 Review of Cryptography Practices

CRY-03.01B

The cloud service provider ensures that encryption, authentication and key management practices are regularly audited in accordance with COM-02 and COM-03 to identify and address potential vulnerabilities. At a minimum, reviews are performed annually and immediately following security incidents involving cryptographic components.

Further criteria for key management are found in criteria CRY-06, CRY-07, CRY-09 - CRY-19

CRY-03.02B

As part of the reviews, the cloud service provider determines if the cryptographic practices align with the state of the art and updates them as needed.

The cloud service provider applies the cryptographic change management process (cf. CRY-02) when updating the cryptographic practices to align with the state of the art.

1.1 Referenzen

1.2 Identifizierte Anforderungen

1.2 Related Regulation

2. Identifizierte Anforderungen

Anforderungen
Source	Anforderung

3. Related Regulations

Regulations
Source	Regulierung

Cloud Computing Compliance Criteria Catalogue (C5:2026) -
Copyright by Bundesamt für Sicherheit in der Informationstechnik (https://www.bsi.bund.de/)

https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfehlungen/Empfehlungen-nach-Angriffszielen/Cloud-Computing/Kriterienkatalog-C5/C5_2025/C5_2025_node.html