+IAM-07.02AC

1. Übersicht

IAM-07.02AC

In order to be able to directly or indirectly access cloud service customer data, any internal or external personnel of the cloud service provider has to pass an appropriate assessment, or has to instead be supervised by personnel who has passed an appropriate assessment (cf. HR-01). The cloud service provider verifies that one of these conditions is met before the access is granted. This applies to support operations as well.

Access to cloud service customer data also entails disclosure of data as part of investigation requests according to INQ-03. These are to be communicated to cloud service customers as far as it is legally not forbidden.

The criterion aims at minimising the cloud service provider's capability to access cloud service customer data. Minimisation of the cloud service provider's possibility to access cloud service customer data is often a question related to the radius of the collusion circle. For example, if the four-eyes principle for access is applied and the access is being logged, then three people make up the collusion circle. In order to build trust into such access statements, the cloud service provider should describe in the system description the measures taken to enlargen the collusion circle.

The cloud service provider should make details about how the supervised access is performed accessible to cloud service customers.

Bezeichnung	Standard

1.1 Referenzen

1.2 Identifizierte Anforderungen

1.2 Related Regulation

2. Identifizierte Anforderungen

Anforderungen
Source	Anforderung

3. Related Regulations

Regulations
Source	Regulierung

Cloud Computing Compliance Criteria Catalogue (C5:2026) -
Copyright by Bundesamt für Sicherheit in der Informationstechnik (https://www.bsi.bund.de/)

https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfehlungen/Empfehlungen-nach-Angriffszielen/Cloud-Computing/Kriterienkatalog-C5/C5_2025/C5_2025_node.html