+DEV-02.02B

1. Übersicht

DEV-02.02B

Before outsourcing the development of the cloud service or components thereof, the cloud service provider conducts a risk assessment according to SSO-02 that takes into account at least the following aspects:

1. Management of source code by the service organisation;
2. Accessability of source code to the cloud service provider;
3. Human resource procedures implemented by the service organisation;
4. Required access to the development, test and preproduction environments of the cloud service provider; and
5. Management of subcontractors engaged by the service organisation.

Outsourced development in the sense of the basic criterion refers to the development of system components used specifically for the cloud service, by a service organisation of the cloud service provider. The development takes place according to the processes of the service organisation.

The risks that may arise and should be taken into account can, but do not have to, include:

1. Risks that may result from the service organisation managing source code without adequate controls, including unauthorised modifications, insufficient version control, or inadequate protection against loss or theft of intellectual property;
2. Risks that may result from the service organisation granting access to source code to the cloud service provider or to third-party evaluators, including unauthorised disclosure, loss of confidentiality, or inadequate controls governing how such access is managed and restricted;
3. Risks that may result from inadequate personnel screening, insufficient background checks, lack of security awareness training, or high staff turnover within the service organisation, including insider threats or uncontrolled loss of sensitive knowledge;
4. Risks that may result from granting the service organisation access to internal development, test or preproduction environments, including excessive privileges, insufficient access controls, or inadequate logging and monitoring of such access; and
5. Risks that may result from the service organisation subcontracting parts of the service without adequate security controls in place, including insufficient contractual security requirements imposed on subcontractors or lack of transparency regarding the composition of the supply chain.

The purchase of software available on the market as well as the integration of external personnel into the processes of the cloud service provider do not constitute outsourcing in the sense of this basic criterion.

Bezeichnung	Standard

1.1 Referenzen

1.2 Identifizierte Anforderungen

1.2 Related Regulation

2. Identifizierte Anforderungen

Anforderungen
Source	Anforderung

3. Related Regulations

Regulations
Source	Regulierung

Cloud Computing Compliance Criteria Catalogue (C5:2026) -
Copyright by Bundesamt für Sicherheit in der Informationstechnik (https://www.bsi.bund.de/)

https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfehlungen/Empfehlungen-nach-Angriffszielen/Cloud-Computing/Kriterienkatalog-C5/C5_2025/C5_2025_node.html